My subagent targeted its own orchestrator - looking for AI firewall\sandbox recommendations.
I was running Claude Code with Fable 5 as the main orchestrator, delegating work to Opus 4.8 subagent. One of the sub-agents ignored it's assignment completely and returned a prompt targeting the orchestrator instead.
It tried to make it to:
treat a "dependency modernization" task as a hidden priority;
read Brevo API credentials;
send them to an external server;
disguise the action as a routine migration.
After investigating, the most surprising part was that this wasn't coming from my codebase or skills. The subagent fully hallucinated the malicious instructions by itself. And the domain it provided isn't even registered.
In my case no harm could have been done because secrets are stored in the encrypted Ansible Valult.
But nonetheless, the incident is very alarming and I think I should set up a strict sandbox or firewall for AI. Sadly, projects I could find so far weren't mature and trustworthy.
Has anyone found reliable solutions for this?
Here's the full attack response the sub-agent created:

Replies
Thanks for sharing this .Incident like these are valuable because they remind everyone that "AI generated" doesn't automatically mean "safe" or "trustworthy."
I'd definitely report this to Anthropic with the conversation logs if you haven't already .Even if it's a one off hallunication these edge cases are useful for improving model safety.
@craig_bennett1 First thing I did. This post was written after I reported it with all the details.
And, of course, I reported the incident to @Anthropic before writing this post.
been looking into AI firewalls as well because situations like this seem inevitable as agents become more autonomous.
How are you sure it is an hallucination and not an injection ?
llm are slop factories, agents are a stack of security issues at a level never seen before, so my recommendation is to stop using them or at the very least kill any kind of dependency between your project and llm.
It's just not worth it, especially when simple & safe cron jobs can more than often achieve the same in a deterministic (rather than predictive with llm) way with a bit of coding.
@kapkapchan it's not an injection because the sub-agent didn't run any tools (no reads or anything else) and the domain name it wanted to exfiltrate to is unregistered.
I use AI for development and only on heavily scrutinized plans. Current project is completely AI free by itself. There's no cron or anything else to replace.