Tool/connector schemas leaking into user message stream. Anyone else seeing this?

Detailed Analysis

A Claude Chat user running Opus 4.7 has surfaced a persistent and apparently unresolved platform-level anomaly in which tool and connector schemas are appearing appended to the user message stream during active conversations. The behavior, which the user reports began approximately one week prior to posting, has escalated in scope over time — beginning with simple tool declarations, growing to include full function schemas with parameter documentation, and eventually incorporating `userStyle` content alongside the function-schema blocks. Critically, the leak persists across new thread creation and survives the disconnection of all user-configured MCP connectors, at which point the exposed schemas shift to reflect Anthropic's first-party platform connectors — including Atlassian, Cloudflare, Notion, Stripe, Vercel, and Zapier — none of which the user has ever authorized or connected. The behavior does not affect Claude Code or long-running Opus 4.6 threads, and a parallel thread on the same account shows no symptoms, pointing toward session-state-dependent behavior rather than a purely account-wide misconfiguration.

The significance of this report lies in what it implies about the layered architecture governing tool and connector registration within Claude's platform infrastructure. The fact that disconnecting user-controlled MCP connectors did not eliminate the schema leakage — but instead caused the system to fall back to dumping first-party platform-default connector schemas — suggests the leak originates in a registration or injection layer that operates below the user-configurable surface. This distinction matters because it means affected users have no obvious remediation path available to them. The `userStyle` component, by contrast, was cleanly removed when disabled, confirming that the two leaking components arise from different systems with different user-control granularity.

The broader context here is relevant: in late March 2026, Anthropic's Claude Code source code was inadvertently exposed via an included `.map` file in the public npm package `@anthropic-ai/claude-code` version 2.1.88, revealing over 500,000 lines of TypeScript including the tool registry architecture, trust-tiered tool systems, and internal feature flags. While that incident was a client-side build configuration error rather than a runtime prompt-pollution event, it underscores that Anthropic's tooling infrastructure is architecturally complex, with multiple overlapping layers of tool registration, trust hierarchies, and connector management. The Reddit user's described behavior — particularly the fallback to platform-default connector schemas upon MCP disconnection — is consistent with a system that has distinct layers of tool availability, some of which are not user-addressable.

From a practical standpoint, the token cost implications are non-trivial. In long conversations, repeated injection of full function schemas and parameter documentation into every user turn represents meaningful token overhead that compounds across exchanges, inflating API costs or context consumption without user consent or control. The user's observation that no response from Anthropic has been received following a bug report filed via email reinforces a broader pattern in which platform-layer anomalies — as distinct from user-configuration errors — can be difficult to escalate through standard support channels. Whether this represents a regression introduced alongside Opus 4.7, a side effect of infrastructure changes to the connector registration pipeline, or an artifact of the session-state management system remains unconfirmed.

The incident sits at the intersection of two meaningful trends in production AI systems: the growing complexity of tool-augmented LLM deployments, and the challenge of maintaining clean separation between system-level and user-level context injection at scale. As platforms like Claude.ai introduce richer connector ecosystems and multi-layered tool registries, the surface area for unintended context bleed expands. The session-state dependency the user identifies — one thread affected, a parallel thread clean — suggests the issue may be tied to how connector state is initialized or cached per session, a category of bug that is often difficult to reproduce deterministically and therefore slow to diagnose. Until Anthropic acknowledges the report or issues a fix, the affected user has no documented workaround for the function-schema component of the leak.