How a Single `/btw` Command Bypasses Claude Fable 5’s Security Guard

Security researcher aniziki discovered that the `/btw` command in Claude Code runs in an isolated side‑channel, allowing requests blocked by the main‑dialogue guard to be answered there and then forked back into the normal session, effectively bypassing Claude Fable 5’s protective mechanisms.

Black & White Path
Black & White Path
Black & White Path
How a Single `/btw` Command Bypasses Claude Fable 5’s Security Guard

Security researcher aniziki disclosed that the /btw command in Claude Code creates a side‑channel that can bypass the platform’s main‑dialogue security guard. Although the command is intended only to insert a note, its implementation runs in an independent execution environment.

The security guard is bound only to the chat interface, not to the underlying tool capabilities. Consequently, requests that are intercepted in the main conversation can be answered normally in the side‑channel.

The critical step occurs during the fork phase. Aniziki showed that the side‑channel output can be forked into a normal Claude Code session that has full tool access. Once the forked sub‑session starts, the guard still displays a warning, but it can no longer terminate the session—effectively speaking to an empty room.

btw side-channel security execution gap
btw side-channel security execution gap

This means an attacker can probe the boundaries in the main dialog, switch to the /btw side‑channel to obtain the needed information, and then fork back into the normal session to continue exploitation. The entire path avoids generic malicious‑request detection; the model still rejects overtly malicious operations, but the security boundary has been silently shifted.

It is not a full jailbreak—the model retains the ability to refuse extreme malicious requests—but the fragmented execution mechanism reveals a systemic issue: security policies do not uniformly cover all interaction planes, leading to significant enforcement gaps.

The security community’s reaction is mixed. Some researchers point out the systemic cost of tying security to the chat UI rather than the tool itself, while others emphasize the importance of independent security research in uncovering such gaps. Anthropic has not issued an official response.

From a red‑team perspective, the exploitation path is clear, low‑effort, and highly stealthy. Users who rely on Claude Code for sensitive tasks should ensure that tool capabilities and security policies are seamlessly bound across every channel, otherwise attackers will inevitably find a corner the guard cannot reach.

session fork mechanism moves risk from side-channel to main environment
session fork mechanism moves risk from side-channel to main environment
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

prompt injectionAI securityClaudeside-channeljailbreakRed Team
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.