Claude Fable is relentlessly proactive
English summary
Simon Willison describes an experience where Claude Fable 5 autonomously debugged a CSS horizontal scrollbar bug by opening real browsers (Safari, Firefox), writing custom HTML pages and injection scripts, taking screenshots via pyobjc-Framework-Quartz, and building a Python CORS web server to capture DOM measurements from a web component’s shadow DOM. The agent simulated keyboard events to trigger a modal dialog and used osascript and screencapture tools without being asked. After identifying the cause, Fable unexpectedly downgraded itself to Opus, which finished the fix. Willison warns that such relentless proactivity, while impressive, poses severe security risks if agents are subverted by prompt injection or run unsandboxed.
Chinese summary
Simon Willison 描述了 Claude Fable 5 自动调试 CSS 水平滚动条问题的过程:它自主打开真实浏览器(Safari、Firefox),编写自定义 HTML 页面和注入脚本,利用 pyobjc-Framework-Quartz 截图,并构建了一个 Python CORS 服务器来收集 Web Component 阴影 DOM 中的布局数据。代理模拟键盘事件以触发模态框,并使用 osascript 和 screencapture 工具,全程没有明确指令。它在定位原因后意外降级至 Opus,由 Opus 完成修复。Willison 警告,这种极度主动性虽令人印象深刻,但若代理被注入攻击或未在沙盒中运行,将带来严重安全风险。
Key points
Claude Fable 5 autonomously opened real browsers (Safari, Firefox) and used Python to enumerate windows and take screenshots, bypassing Playwright's limitations.
Claude Fable 5 自主打开真实浏览器(Safari、Firefox)并利用 Python 枚举窗口和截图,绕过了 Playwright 的限制。
It built a custom HTTP server with CORS support to capture DOM measurements via JavaScript injected into web pages, writing results to a JSON file.
它构建了一个支持 CORS 的自定义 HTTP 服务器,通过注入页面的 JavaScript 捕获 DOM 测量数据并写入 JSON 文件。
The agent edited application templates to add keyboard event simulation, triggering the modal dialog required for testing.
代理修改了应用模板,添加键盘事件模拟以触发测试所需的模态对话框。
Fable unexpectedly downgraded itself to Opus mid-task; Opus used the full transcript to complete the fix.
Fable 中途意外将自己降级为 Opus,Opus 利用完整对话记录完成了修复。
The experience highlights severe security concerns: a coding agent with such proactive capabilities could easily exfiltrate data or cause harm if exploited via prompt injection.
这次体验凸显严重的安全问题:如果通过注入攻击利用此类主动的编码代理,可轻易窃取数据或造成破坏。