Tool/connector schemas leaking into user message stream. Anyone else seeing this?

Detailed Analysis

A Claude Chat user running Opus 4.7 has documented a reproducible and escalating anomaly in which tool registration schemas — including full function signatures and parameter documentation — are appearing appended to every outbound user message within certain conversation threads. The behavior, reported to have begun approximately one week prior to the post, progressed in stages: initial tool declarations gave way to complete function schemas, which then began co-appearing alongside `userStyle` content. Critically, the user confirmed that disconnecting all manually configured MCP connectors did not eliminate the leak; instead, the schemas shifted to representing Anthropic's own first-party platform connectors — including Atlassian, Cloudflare, Notion, Stripe, Vercel, and Zapier — services the user reports having never configured or used. The issue is isolated to specific sessions rather than being uniformly account-wide, suggesting session-state dependency in the platform's tool registration layer.

The significance of this incident extends beyond mere inconvenience. Because the leaked schemas are appearing inside the user message stream rather than in a designated system prompt or tool-registration layer, they are consuming prompt tokens on every exchange — a non-trivial cost accumulation over long conversations. More substantively, the fact that the leak persists after connector disconnection, and surfaces schemas for platform-default connectors the user never provisioned, implies a failure at the infrastructure level of Claude.ai's tool orchestration architecture rather than at any user-configurable layer. This distinction matters: it places the fault outside the user's ability to remediate independently, and it raises questions about how Anthropic's backend manages tool context propagation across session boundaries and account states.

The research context adds an important technical dimension. Anthropic's own engineering, as revealed in analysis of Claude Code's architecture, includes deliberate permission-wrapping mechanisms — specifically, an intercepted `canUseTool()` call layer in the QueryEngine — designed to control tool access and prevent unintended information leakage. There is also a documented "fake tools" anti-distillation mechanism built into Claude Code's prompt infrastructure. The apparent irony is that Anthropic has invested meaningfully in schema-level access control at the code execution layer, while a separate and possibly more consumer-facing surface — Claude Chat's connector registration system — appears to be exhibiting precisely the kind of schema leakage those controls were designed to prevent elsewhere in the stack.

This episode connects to a broader and accelerating challenge in the deployment of tool-augmented large language models: as Model Context Protocol integrations and platform-native connectors proliferate, the attack surface and failure surface of tool registration systems grows substantially. The MCP ecosystem, which Anthropic has actively promoted as a standard for connecting AI systems to external services, introduces complex state management requirements across sessions, accounts, and connector lifecycles. When that state management fails — as the reported behavior suggests — the consequences are not purely aesthetic. Schema leakage can expose platform topology, reveal available integrations a user may not have known existed, and create ambiguity in model behavior if injected schemas alter the model's understanding of its available capabilities mid-conversation.

Anthropic's lack of response to the user's bug report, combined with the absence of any documented community acknowledgment of the issue, suggests the problem may be either narrowly scoped to specific account or session configurations or in a triage queue that has not yet surfaced publicly. The user's observation that the bug does not affect Claude Code or legacy Opus 4.6 threads narrows the surface to the newer chat interface and model version, which could indicate a regression introduced during a recent platform update. Whether this represents an isolated edge case or a symptom of deeper architectural fragility in Claude.ai's connector orchestration layer remains an open question — one with meaningful implications for trust, cost, and reliability as Anthropic continues scaling its tool-augmented product surface.