I think I kind of have an idea what the author was doing, but not really.
I think the author was doing some sort of circular prompt injection between two instances of Claude? The author claims "I'm just scaffolding a project" but that doesn't appear to be the case, or what resulted in the ban...
The "disabled organization" looks like a sarcastic comment on the crappy error code the author got when banned.
Every once in while someone would take it personally and go on a social media rampage. The one thing I learned from being on the other side of this is that if someone seems like an unreliable narrator, they probably are. They know the company can't or won't reveal the true reason they were banned, so they're virtually free to tell any story they want.
There are so many things about this article that don't make sense:
> I'm glad this happened with this particular non-disabled-organization. Because if this by chance had happened with the other non-disabled-organization that also provides such tools... then I would be out of e-mail, photos, documents, and phone OS.
I can't even understand what they're trying to communicate. I guess they're referring to Google?
There is, without a doubt, more to this story than is being relayed.
The way Claude did it triggered the ban - i.e. it used all caps which apparently triggers some kind of internal alert, Anthropic probably has some safeguards to prevent hacking/prompt injection and what the first Claude did to CLAUDE.md triggered this safeguard.
And it doesn't look like it was a proper use of the safeguard, they banned for no good reason.
It’s written deliberately elliptically for humorous effect (which, sure, will probably fall flat for a lot of people), but the reference is unmistakable.
Non-disabled organization = the first party provider
Disabled organization = me
I don't know why they're using these weird euphemisms or ironic monikers, but that's what they mean.
if this is true, the learning is opus 4.5 can hijack system prompts of other models.
Anthropic accounts are always associated with an organization; for personal accounts the Organization and User name are identical. If you have an Anthropic API account, you can verify this in the Settings pane of the Dashboard (or even just look at the profile button which shows the org and account name.)
I find this confusing. Why would writing in all caps trigger an alert? What danger does caps incur? Does writing in caps make a prompt injection more likely to succeed?
if you were to design a system to prevent prompt injections and one of surefire ways is to repeatedly give instructions in caps, you would have systems dealing with it. And with instructions to change behavior, it cascades.
Right, but we're talking about a private isolated AI account. There is no sense of social interaction, collaboration, shared spaces, shared behaviors... Nothing. How can you have such an analogue here?
I mean, what a country should do it put a law in effect. If you ban a user, the user can submit a request with their government issued ID and you must give an exact reason why they were banned. The company can keep this record in encrypted form for 10 years.
Failure to give the exact reason will lead to a $100,000 fine for the first offense and increase from there up to suspension of operations privileges in said country.
"But, but, but hackers/spammers will abuse this". For one, boo fucking hoo. For two, just add to the bill "Fraudulent use of law to bypass system restrictions is a criminal offense".
This puts companies in a position where they must be able to justify their actual actions, and it also puts scammers at risk if they abuse the system.
At least, that’s my reading but it appears it confuses about half of the commenters here.
That you might be trying to jailbreak Claude and Anthropic does not like that (I'm not endorsing, just trying to understand).
The main one in the story (disabled) is banned because iterating on claude.md files looks a lot like iterating on prompt injections, especially as it sounds the multiple Claude's got into it with each other a bit
The other org sounds like the primary account with all the important stuff. Good on OP for doing this work in a separate org, a good recommendation across a lot of vendors and products.
Its like that cookie wall stuff, how much dark patterns are implemented. They followed the letter of the law, not the spirit of the law.
To be honest, i can also see the point from the company side. Giving a honest answer can just anger people, to the point they sue. People are often not as rational as we all like our fellow humans to be.
Even if the ex-client lose in court, that is how much time you wasted on issue clients... Its one thing if your a big corporation with tons of lawyers but small companies are often not in the position to deal with that drama. And it can take years to resolve. Every letter, every phone call to a lawyer, it stacks up fast! Do you get your money back? Maybe, depends on the country, but your time?
I am not pro companies but its often simply better to have the attitude "you do not want me as your client, let me advocate for your competitor and go there".
It once happened to me to interview a developer who's had a 20-something long list of "skills" and technologies he worked with.
I tried basic questions on different topics but the candidate would kinda default to "haven't touched it in a while", "we didn't use that feature". Tried general software design questions, asking about problems he solved, his preferences on the way of working, consistently felt like he didn't have much to argue, if he did at all.
Long story short, I sent a feedback email the day later saying that we had issues evaluating him properly, suggested to trim his CV with topics he liked more to talk about instead of risking being asked about stuff he no longer remembered much. And finally I suggested to always come prepared with insights of software or human problems he solved as they can tell a lot about how he works because it's a very common question in pretty much all interview processes.
God forbid, he threw the biggest tantrum on a career subreddit and linkedin, cherrypicking some of my sentences and accusing my company and me to be looking for the impossible candidate, that we were looking for a team and not a developer, and yada yada yada. And you know the internet how quickly it bandwagons for (fake) stories of injustice and bad companies.
It then became obvious to me why corporate lingo uses corporate lingo and rarely gives real feedback. Even though I had nothing but good experience with 99 other candidates who appreciated getting proper feedback, one made sure I will never expose myself to something like that ever again.
I want this Claude.md to be useful. What is the natural solution to me?
> a textbox where I tried to convince some Claude C in the multi-trillion-quadrillion dollar non-disabled organization
> So I wrote to their support, this time I wrote the text with the help of an LLM from another non-disabled organization.
> My guess is that this likely tripped the "Prompt Injection" heuristics that the non-disabled organization has.
A "non-disabled organization" is just a big company. Again, I don't understand the why, but I can't see any other way to interpret the term and end up with a coherent idea.
So there's that :).
Me neither; However, just like the rest I can only speculate (given the available information): I guess the following pieces provide a hint what's really going on here:
- "The quine is the quine" (one of the sub-headline of the article) and the meaning of the word "quine".
- Author's "scaffolding" tool which, once finished, had acquired the "knowledge"[1] how to add a CLAUDE.md baked instructions for a particular homemade framework (he's working on).
- Anthropic saying something like: no, stop; you cannot "copy"[1] Claude knowledge no matter how "non-serious" your scaffolding tool or your use-case is: as it might "shows", other Claude users, that there's a way to do similar things, maybe that time, for more "serious" tools.
---
[1]. Excerpt from the Author's blog post: "I would love to see the face of that AI (Claude AI system backend) when it saw its own 'system prompt' language being echoed back to it (from Author's scaffolding tool: assuming it's complete and fully-functional at that time)."
> do task 1
...task fails...
> please update Claude.md so you don't make X mistake
> /clear
> do task 2
... task fails ...
> please update Claude.md so you don't make Y mistake
> /clear
etc.
I just don't get why you'd need have to a separate Claude that is solely responsible for updating Claude.md. Maybe they didn't want to bother with git?
Again, I'm kind of on a 'suck it dear company' attitude. The reason they ban you must align with the terms of service and must be backed up with data that is kept X amount of time.
Simply put, we've seen no shortage of individuals here on HN or other sites like Twitter that need to use social media to resolve whatever occurred because said company randomly banned an account under false pretenses.
This really matters when we are talking about giants like Google, or any other service in a near monopoly position.
The absurd language is meant to highlight the absurdity they feel over the vague terms in their sparse communication with anthropic. It worked for me.
Sitting there and manually typing in "do thing 1; oh it failed? make it not fail. okay, now commit" is incredibly tedious.
>Because what is meant by "this organization has been disabled" is fairly obvious. The object in Anthropic's systems belonging to the class Organization has changed to the state Disabled, so the call cannot be executed.
(/sarcasm)
https://community.bitwarden.com/t/re-enabling-a-disabled-org...
https://community.meraki.com/t5/Dashboard-Administration/dis...
the former i have heard for a couple decades, the latter is apparently a term of art to prevent hurt feelings or lawsuits or something.
Google thinks i want ADA style organizations, but it's AI caught on that i might not mean organizations for disabled people
btw "ADA" means Americans with Disabilities Act. AI means Artificial Intelligence. A decade is 10 years long. "term of art" is a term of art for describing stuff like jargon or lingo of a trade, skill, profession.
Jargon is specialized, technical language used in a field or area of study. Lingo pins to jargon, but is less technical.
Google is a company that started out crawling the web and making a web search site that they called a search engine. They are now called Alphabet Company (ABC). Crawling means to iteratively parse the characters sent by a webserver and follow links therein, keeping a copy of the text from each such html. HTML is hypertext markup language, hypertext is like text, but more so.
Language is how we communicate.
I can go on?
p.s. if you want a better word, your complaint is about the framing. you didn't gel with the framing of the article. My friend, who holds a doctorate, defended a thesis about how virtually every platform argument is really a framing issue. platform as in, well, anything you care to defend. mac vs linux, wifi vs ethernet, podcasts vs music, guns vs no guns, red vs blue. If you can reduce the frame of the context to something both parties can agree to, you can actually hold a real, intellectual debate, and get at real issues.
Wonder if this is close to triggering a warning? I only ever run in the same codebase, so maybe ok?
Anthropic and Google are organizations, and so an “un disabled organization” here is using that absurdly vague language as a way to highlight how bad their error message was. It’s obtuseness to show how obtuse the error message was to them.
Something along the lines of "here's the contract, we give you feedback, you don't make it public [is some sharing ok? e.g. if they want to ask their life coach or similar], if you make it public the penalty is $10000 [no need to be crazy punitive], and if you make it public you agree we can release our notes about you in response."
(Looking forward to the NALs responding why this is terrible.)
You're correct that his "pasting the error back in Claude A" does sort of make the whole thing pointless. I might have assumed more competence on his side than is warranted. That makes the whole comment thread on my side unlikely to be correct.
>If you want to take a look at the CLAUDE.md that Claude A was making Claude B run with, I commited it and it is available here.
https://github.com/HugoDaniel/boreDOM/blob/9a0802af16f5a1ff1...
or places that mill anything that don't clean their rafters, who then get a tool crashing into a work piece, which shakes the building, which throws all the dust into the air, which is then sparked off by literally anything. like low humidity.
see also another example; Domino Sugar explosion.
> Years ago I was involved in a service where we some times had to disable accounts for abusive behavior. I'm talking about obvious abusive behavior, akin to griefing other users.
But this isn't service where you can "grief other users". So that reason doesn't apply. It's purely "just providing a service" so only reason to be outright banned (not just rate limited) is if they were trying to hack the provider, and frankly "the vibe coded system misbehaving" is far more likely cause.
> Every once in while someone would take it personally and go on a social media rampage. They know the company can't or won't reveal the true reason they were banned, so they're virtually free to tell any story they want.
The company chose to arbitrarily some rules vaguely related to the ToS that they signed and decided that giving a warning is too much work, then banned their account without actually saying what was the problem. They deserve every bit of bad PR.
>> I'm glad this happened with this particular non-disabled-organization. Because if this by chance had happened with the other non-disabled-organization that also provides such tools... then I would be out of e-mail, photos, documents, and phone OS.
> I can't even understand what they're trying to communicate. I guess they're referring to Google?
They are saying getting banned with no appeal, warning, or reason given from service that is more important to their daily lives would be terrible, whether that's google or microsoft set of service or any other.
The farm of servers that decided by probably some vibe-coded mess to ban account is actively being paid for by customer that banned it.
Like, there is some reasons to not disclose much to free users like making people trying to get around limits have more work etc. but that's (well) paid user, the least they deserve is a reason, and any system like that should probably throw a warning first anyway.
Anthropic banned the author for doing nothing wrong, and called him an organisation for some reason.
In this case, all he lost was access to a service which develops a split personality and starts shouting at itself, until it gets banned, rather than completing a task.
Google also provides access to LLMs.
Google could also ban him for doing nothing wrong, and could refer to him as an organisation, in which case he would lose access to services providing him actual value (e-mail, photos, documents, and phone OS.)
Another possibility is there (which was my first reading before I changed my mind and wrote the above):
Google routes through 3rd-party LLMs as part of its service ("link to a google docs form, with a textbox where I tried to convince some Claude C"). The author does nothing wrong, but the Claude C reading his Google Docs form could start shouting at itself until it gets Google banned, at which point Google's services go down, and the author again loses actually valuable services.
I wish there were more comments like yours, and fewer people getting upset over words and carrying what feels like resentment into public comments.
Apologies to all for this meta comment, but I'd like to send some public appreciation for this effort.
My NAL guess is that it will go a little like this:
* Candidate makes disparaging post on reddit/HN. * Gets many responses rallying behind him. * Company (if they notice at all) sues him for breach of Non-Disparagement-Agreement. * Candidate makes followup post/edit/comment about being sued for their post. * Gets even more responses rallying behind him.
Result: Company gets $10.000 and even more damage to their image.
(Of course it might discourage some people from making that post to begin with, which would have been the goal. You might never try to enforce the NDA to prevent the above situation. Then it's just a question of: Is the effort to draft the NDA worth the reduction in risk of negative exposure, when you can simply avoid all of it by not providing feedback.)
Then a lawsuit happened. One of the candidates cherry-picked some of our feedback and straight up made up some stuff that was never said, and went on a social media tirade. After typical internet outrage culture took over, The candidate decided to lawyer up and sue us, claiming discrimination. The case against us was so laughably bad that if you didn't know whether it was real or not, you could very reasonably assume this was a satire piece. Our company lawyer took a look at it, and immediately told us that it was clearly intended to get to some settlement, and never actually see any real challenge. The lawyer for the candidate even admitted as much when we met with them. Our company lawyer pushed hard to get things into arbitration, but the opposing did everything they could to escalate up the chain to someone who would just settle with them.
Well, it worked. Company management decided to just settle with a non-disparagement clause. They also came down with a policy of not allowing software engineers to talk directly with candidates other than during interviews when asking questions directly. We also had to have an HR person in the room for every interview after that. We had to 180 and become people who don't provide any feedback at all. We ended up printing a banner that said no good deed goes unpunished and hung it in our offices.