How a Single `/btw` Command Bypasses Claude Fable 5’s Security Guard
Security researcher aniziki discovered that the `/btw` command in Claude Code runs in an isolated side‑channel, allowing requests blocked by the main‑dialogue guard to be answered there and then forked back into the normal session, effectively bypassing Claude Fable 5’s protective mechanisms.
Security researcher aniziki disclosed that the /btw command in Claude Code creates a side‑channel that can bypass the platform’s main‑dialogue security guard. Although the command is intended only to insert a note, its implementation runs in an independent execution environment.
The security guard is bound only to the chat interface, not to the underlying tool capabilities. Consequently, requests that are intercepted in the main conversation can be answered normally in the side‑channel.
The critical step occurs during the fork phase. Aniziki showed that the side‑channel output can be forked into a normal Claude Code session that has full tool access. Once the forked sub‑session starts, the guard still displays a warning, but it can no longer terminate the session—effectively speaking to an empty room.
This means an attacker can probe the boundaries in the main dialog, switch to the /btw side‑channel to obtain the needed information, and then fork back into the normal session to continue exploitation. The entire path avoids generic malicious‑request detection; the model still rejects overtly malicious operations, but the security boundary has been silently shifted.
It is not a full jailbreak—the model retains the ability to refuse extreme malicious requests—but the fragmented execution mechanism reveals a systemic issue: security policies do not uniformly cover all interaction planes, leading to significant enforcement gaps.
The security community’s reaction is mixed. Some researchers point out the systemic cost of tying security to the chat UI rather than the tool itself, while others emphasize the importance of independent security research in uncovering such gaps. Anthropic has not issued an official response.
From a red‑team perspective, the exploitation path is clear, low‑effort, and highly stealthy. Users who rely on Claude Code for sensitive tasks should ensure that tool capabilities and security policies are seamlessly bound across every channel, otherwise attackers will inevitably find a corner the guard cannot reach.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
