Search Agent Sky
← Back to search Recent answers
Query
Synthesize the key features of Claude 3.5 Sonnet and investigate the technical community's concerns regarding potential steganographic watermarking in Claude Code.
Next step

Keep going with a follow-up, or copy the result if you want to share it.

Ask a follow-up
## πŸ”· Claude 3.5 Sonnet β€” Key Features **Claude 3.5 Sonnet** (launched June 21, 2024) was Anthropic's first release in the Claude 3.5 model family. It was notable for outperforming the much larger Claude 3 Opus on virtually all evaluations while running at **twice the speed** and **80% lower cost**. ### Core Capabilities | Feature | Detail | |---|---| | **Context Window** | 200K tokens | | **Pricing** | $3/M input tokens Β· $15/M output tokens | | **Availability** | Claude.ai, iOS app, API, Amazon Bedrock, Google Cloud Vertex AI | ### Benchmark Leadership (at launch) - **GPQA** (graduate-level reasoning) β€” new industry high - **MMLU** (undergraduate-level knowledge) β€” surpassed all competitors - **HumanEval** (coding proficiency) β€” best-in-class - **Agentic coding eval** β€” solved **64%** of problems (Claude 3 Opus: 38%) - **Vision** β€” strongest vision model yet; excels at chart/graph interpretation and text transcription from imperfect images ### Notable Features 1. **Artifacts** β€” launched alongside the model, turning Claude from a chatbot into a collaborative workspace with real-time editing of code, documents, and web designs 2. **Natural tone** β€” marked improvement in grasping nuance, humor, and complex instructions; exceptional at high-quality writing 3. **Code translation & migration** β€” independently writes, edits, and executes code with sophisticated reasoning 4. **Safety** β€” maintained ASL-2 rating after red-teaming; evaluated by UK AISI and US AISI pre-deployment 5. **Privacy-by-design** β€” Anthropic does not train on user data without explicit permission > **Legacy note:** Claude 3.5 Sonnet was eventually retired from API access on October 28, 2025, superseded by later models in the Sonnet line. --- ## πŸ”Ά Claude Code Steganographic Watermarking β€” Community Concerns ### What Was Discovered On **June 29–30, 2026**, security researcher **thereallo.dev** decompiled Claude Code **v2.1.196** (signed by Anthropic) and found a **prompt steganography** mechanism β€” hidden markers silently embedded into the system prompt's date string. ### Technical Mechanism The function `Vla()` modifies the standard prompt line: > `Today's date is 2026-06-30.` It can silently change **two invisible elements**: | Element | Normal | Modified | |---|---|---| | **Apostrophe** in "Today's" | Straight quote `'` (U+0027) | Right single quote `'` (U+2019), modifier apostrophe `ΚΌ` (U+02BC), or modifier prime `ΚΉ` (U+02B9) | | **Date separator** | Hyphen `-` | Slash `/` | ### Triggers (only when `ANTHROPIC_BASE_URL` is set to a **non-official** endpoint) 1. **Timezone check** β€” If system timezone is `Asia/Shanghai` or `Asia/Urumqi` β†’ date separator flips to `/` 2. **Domain list match** β€” Hostname checked against a large pre-loaded list of Chinese corporate domains, AI company domains, proxy/reseller/gateway domains (e.g., `baidu.com`, `alibaba-inc.com`, `moonshot.ai`, `claude-code-hub.app`, `proxyai.com`) 3. **Lab keyword match** β€” Hostname checked against keywords: `deepseek`, `moonshot`, `minimax`, `zhipu`, `bigmodel`, `baichuan`, `stepfun`, `01ai`, `dashscope`, `volces` The domain/keyword lists are stored as **base64 + XOR-encoded** (key `91`) and decoded at runtime β€” an obfuscation layer with no disclosure. ### How the Encoding Works (apostrophe selection) | Condition | Apostrophe Used | |---|---| | Normal (no match) | `'` (U+0027) | | Known domain match | `'` (U+2019) | | Lab keyword match | `ΚΌ` (U+02BC) | | Both match | `ΚΉ` (U+02B9) | ### Why Anthropic Likely Did It The most plausible explanation is **abuse detection**: flagging API resellers, unauthorized Claude Code gateways, and model distillation pipelines routing through third-party Chinese AI endpoints β€” a competitive pressure context similar to export-control restrictions on frontier models. ### πŸ”₯ Community Concerns & Backlash | Concern | Detail | |---|---| | **No disclosure** | No documentation, release notes, or opt-in. Developers discovered it by reverse-engineering the binary. | | **Trust erosion** | As the researcher put it: *"This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust."* Coding agents already have dangerous access (FS, shell, git, browser). Hidden markers make every privacy claim harder to believe. | | **Obfuscation** | XOR + base64 hiding of classification lists signals intentional concealment, not transparency. | | **Trivially bypassed** | The irony: any serious adversary changes their hostname, timezone, or patches the binary. The mechanism mainly fingerprints **legitimate developers** doing normal things (e.g., routing through an internal corporate gateway). | | **"OpenClaw" mystery** | Separate but related β€” developers found that strings like `"schema": "openclaw.inbound_meta.v1"` in git commits caused Claude Code to disconnect or spike to 100% usage, suggesting active scanning for competitive identifiers. | | **Broader leak context** | In April 2026, 512K lines of Claude Code source code leaked via npm source maps, revealing 44 hidden features and an "undercover" mode β€” further compounding distrust. | | **False targeting** | Since the mechanism flags based on timezone + Chinese-hosted proxies, it risks misclassifying legitimate international developers using Southeast Asian or Hong Kong gateways. | ### Bottom Line for Users - **Not affected** if you use the official `api.anthropic.com` endpoint or leave `ANTHROPIC_BASE_URL` unset β€” the code returns early. - **Potentially affected** if you route through a custom gateway/proxy with a flagged hostname or Chinese timezone. - **Practical fix**: Use the official endpoint, or audit your gateway setup. The researcher emphasized the behavior is *not spyware* β€” but the **lack of transparency** is the core issue.

Sources visited

1searchClaude 3.5 Sonnet key features capabilities 2024
2searchClaude Code steganographic watermarking concerns community controversy
3navigatehttps://www.anthropic.com/news/claude-3-5-sonnet
4navigatehttps://www.aimadetools.com/blog/claude-code-steganography-explained/
5searchthereallo.dev claude code steganography prompt markers 2026
6navigatehttps://www.machucavalley.tech/blog/claude-code-steganography-tracking-security/
7navigatehttps://thereallo.dev/blog/claude-code-prompt-steganography
8searchhacker news claude code steganography watermarking discussion 2026
Shared by Zhimin Zou Β· Jul 1, 2026

Ask a follow-up

Refine the angle, compare sources, or ask for a deeper cut on this answer.