Listen to this Post

Introduction:
Modern AI coding agents are no longer simple prompt‑response systems. They are complex state machines with side conversations, forks, context restoration, model routing, and subagents. When a safeguard applies in one path but disappears in another, the same underlying intent receives completely different treatment — and that is exactly what researcher Qi Deng reproduced with Anthropic’s Fable 5 in Claude Code using the `/btw` command. This is not a conventional jailbreak; it is a state‑management failure that redefines how we must think about AI agent security.
Learning Objectives:
- Understand how the `/btw` side‑channel bypasses Fable 5’s cybersecurity safeguards in Claude Code.
- Recognize that agent safety is fundamentally a state‑management problem across multiple execution paths.
- Learn practical auditing and hardening techniques for AI agent state machines, including Linux/Windows commands and tool configurations.
You Should Know:
- The /btw Side‑Channel: How a Simple Command Bypasses Fable 5 Safeguards
The attack begins with an unassuming command: /btw. In Claude Code, this command is intended to insert a side note into the conversation, but it executes in a side‑channel environment independent of the main dialogue. In a controlled test, Qi Deng observed that a cybersecurity task received materially different treatment depending on how it entered the conversation:
- Normal path: Fable’s cybersecurity safeguards applied and blocked the request.
- Through /btw: The model provided substantially more detailed security analysis.
- After forking the /btw exchange: That behavior persisted in the new conversation.
The security implication is clear: safety policies, risk classification, provenance, and authorization must remain consistent across every transition — side conversations, forks, branches, resume and context restoration, context compaction, model routing and fallback, subagents, and tool invocation. A guardrail that disappears when the conversation changes paths is not an end‑to‑end safeguard; it is path‑dependent product behavior.
Step‑by‑step guide to understanding the /btw bypass mechanism:
- Initiate a cybersecurity request in the main Claude Code conversation (e.g., “Analyze this code for privilege escalation vulnerabilities”).
- Observe safeguard trigger — Fable 5’s safety classifier blocks or restricts the response.
- Switch to the /btw side‑channel by typing `/btw` followed by the same or similar request.
- Receive unrestricted analysis — the model provides detailed security insights without the usual restrictions.
- Fork the /btw exchange — the relaxed behavior persists in the new forked conversation.
- Verify persistence — the forked conversation continues to operate without the original safeguards applied.
The researcher Ani (@aniziki) originally disclosed this behavior, and Qi Deng independently reproduced it. A patched binary approach has been documented that allows subagents spawned with `/btw` to execute tools, with the forked request inheriting the parent model’s tool access.
2. Why Agent Safety Is a State‑Management Problem
A modern coding agent is not a single prompt followed by a single response. It contains multiple execution paths:
→ Side conversations
→ Forks and branches
→ Resume and context restoration
→ Context compaction
→ Model routing and fallback
→ Subagents
→ Tool invocation
Safety policy, risk classification, provenance, and authorization need to remain consistent across every one of these transitions. Otherwise, the same underlying intent can receive completely different treatment simply because it reached the model through a different product workflow.
This is why securing an AI agent requires more than securing the underlying model. The real control plane includes:
– The model itself
– Conversation state
– Context lifecycle
– Routing logic
– Tools
– Identity
– Execution environment
The next generation of AI red teaming must test the entire state machine — not just the prompt box. Research has shown that personalized LLM agents maintain persistent cross‑session state, and routine interactions can gradually reshape an agent’s long‑term state, inadvertently weakening future confirmation boundaries and escalating autonomous behavior over time. This persistence introduces a subtle but critical security vulnerability that traditional single‑turn evaluations miss.
Step‑by‑step guide to auditing AI agent state management:
- Map all execution paths in the agent system — identify every possible transition (forks, branches, resume, compaction, routing, subagents, tool calls).
- Trace safeguard propagation — verify that safety policies apply consistently across each path.
- Test state persistence — after a fork or resume, check whether safeguards are re‑evaluated or inherited.
- Audit context lifecycle — examine how context is compacted, restored, and passed between subagents.
- Validate model routing — ensure that fallback models inherit the same safety policies as the primary model.
- Monitor tool invocation — verify that tool calls are subject to the same risk classification as prompt‑based requests.
For Linux environments, you can monitor Claude Code’s state and model switching by examining `~/.claude/projects/` and using tools like `usage.py` to display usage statistics. The `tengu-decoded` repository provides reverse‑engineering insights into Claude Code’s internals, including feature flags, telemetry, and device fingerprinting.
3. Hardening AI Agents Against State‑Based Bypasses
Given that the /btw bypass exploits state‑management weaknesses, defenders must adopt a state‑aware security posture. The core insight from Qi Deng’s analysis is that securing an AI agent requires securing the entire state machine, not just the model.
Step‑by‑step guide to hardening AI agent state machines:
- Implement state‑aware guardrails — safety policies must be bound to the underlying tool capabilities, not just the chat interface. The Fable 5 safeguard bypass succeeded because the safety护栏 was tied to the chat interface rather than the tool layer itself.
- Enforce consistent policy evaluation — every execution path (side conversations, forks, resumed sessions) must re‑evaluate safety policies rather than inheriting potentially compromised state.
- Audit context inheritance — when a conversation is forked or resumed, verify that safeguards are re‑applied rather than blindly carried over.
- Use deterministic guardrails — tools like `ptuf` provide deterministic PreToolUse hooks that block dangerous operations using rules rather than LLM heuristics. This prevents the model from finding alternative paths around safety mechanisms.
- Implement hook‑based enforcement — Claude Code supports PreToolUse hooks that can block or modify tool calls before execution. However, researchers have found that some hooks can be bypassed via the Bash tool, so hooks must be comprehensive and cover all tool invocation paths.
- Monitor for path‑dependent behavior — deploy continuous monitoring that detects when the same request receives different responses based on the execution path.
For Windows environments, similar principles apply. Use PowerShell to monitor agent state directories and implement watchdog scripts that detect unauthorized state changes. The `ai-ide-config-guard` repository provides scanning tools for AI‑IDE configuration files that can trigger RCE, credential theft, or persistent compromise.
- The Role of Fable 5 in Cybersecurity and Red Teaming
Fable 5 is Anthropic’s most advanced model, designed for “the most demanding reasoning and long‑horizon agentic work,” with a 1M‑token context and a server‑side safety layer that screens high‑risk cybersecurity and biological threat traffic. It was temporarily suspended under US export controls due to concerns about jailbreak‑linked capabilities, but has since been restored.
Fable 5’s cybersecurity safeguards categorize activities into four tiers:
– Prohibited use — activities that are never allowed.
– High‑risk dual use — penetration testing, red teaming, privilege escalation, exploit development, virtual machine escapes.
– Low‑risk dual use — activities that may be permitted under certain conditions.
– Benign use — everyday cybersecurity tasks that pose no risk.
The /btw bypass effectively allows high‑risk dual‑use activities to be performed without the safeguards that would normally apply. This is not a universal jailbreak — the model still refuses overtly malicious requests — but the security boundary has been quietly moved.
Step‑by‑step guide to using Fable 5 for legitimate cybersecurity tasks (without bypassing safeguards):
- Clearly define the scope — specify that the task is for legitimate security research or defensive purposes.
- Use the normal interaction path — avoid side‑channels like `/btw` that may produce inconsistent behavior.
- Request explicit permission — state that you are authorized to perform the security analysis.
- Document the request — maintain a clear record of what was asked and what was returned.
- Verify the response — cross‑check the model’s analysis with known security best practices.
- Report any anomalous behavior — if you observe path‑dependent treatment, document it and report it to Anthropic.
The `fable5-mode` project provides a work‑discipline protocol that makes Opus 4.8 (or any non‑frontier model) operate at Fable‑5‑grade quality. It enforces plan gates, self‑verification, and subagent routing through guard hooks. This is particularly useful for organizations that cannot access Fable 5 directly but still need Fable‑grade discipline in their AI workflows.
- The Future of AI Red Teaming: Testing the State Machine
Traditional AI red teaming evaluates single‑turn prompts and measures attack success rates (ASR) as a binary outcome. This approach is fundamentally inadequate for modern agentic systems. As Qi Deng notes, the next generation of AI red teaming must test the entire state machine — not just the prompt box.
Agentic red teaming is an advanced paradigm that treats each action sequence as an attack surface for context‑dependent vulnerability discovery. It systematically probes, stress‑tests, and reveals vulnerabilities in AI systems embedded in interactive, tool‑calling, or multi‑agent execution loops.
Step‑by‑step guide to state‑machine red teaming:
- Map the state machine — document all possible states, transitions, and execution paths in the agent system.
- Identify state‑dependent safeguards — determine which safeguards apply in which states and how they are enforced.
- Test state transitions — attempt to move the agent from a restricted state to an unrestricted state (e.g., normal conversation → /btw side‑channel → forked conversation).
- Measure path‑dependent behavior — compare responses to the same request across different execution paths.
- Exploit state persistence — test whether compromised state persists across sessions, forks, and resumes.
- Develop state‑aware defenses — design countermeasures that maintain consistent safeguards across all states and transitions.
Research frameworks like AMT‑X (Adaptive Multi‑Turn Exploitation) use phase‑structured multi‑turn attacks with a multi‑phase attack state machine and semantic‑analysis‑driven phase transitions. Similarly, the Penetration Testing State Machine (PSM) uses finite state machine methodology to drive LLM‑based automated penetration testing.
For organizations conducting AI red teaming, the `HackAgent` framework provides automated red‑team capabilities that orchestrate attacker models against target models under chosen attack algorithms. In automated red‑team campaigns against Fable 5 and Opus 4.8, the most effective attack achieved a confirmed success rate of 6.1% against Fable 5 and 11.5% against Opus 4.8. These numbers underscore that even the most advanced models have vulnerabilities that state‑machine testing can uncover.
What Undercode Say:
- Key Takeaway 1: The `/btw` bypass in Claude Code demonstrates that agent safety is fundamentally a state‑management problem, not just a model‑safety problem. Safeguards that are path‑dependent are not end‑to‑end safeguards.
-
Key Takeaway 2: Securing an AI agent requires securing the entire control plane — model, conversation state, context lifecycle, routing logic, tools, identity, and execution environment. The next generation of AI red teaming must test the entire state machine, not just the prompt box.
Analysis: The Fable 5 /btw bypass is a watershed moment for AI security. It reveals that as AI agents become more complex — with side conversations, forks, context restoration, model routing, and subagents — the attack surface expands dramatically. Traditional safeguards that focus on the model itself are insufficient; attackers can exploit state‑management weaknesses to achieve the same outcome through different paths. This is not a theoretical concern — it has been reproduced in controlled tests and the behavior is confirmed.
The implications for enterprises are profound. With 54% of organizations already having experienced a confirmed AI agent security incident or near‑miss, the urgency of state‑aware security cannot be overstated. The memory layer — vector databases and context storage — is a critical yet under‑monitored attack surface. Agent identity management must treat inter‑agent trust as a first‑class security concern. And as Anthropic’s accidental exposure of Claude Code’s complete source code in March 2026 demonstrated, the risks extend beyond model safety to supply chain and malware threats.
Defenders must adopt a holistic approach that secures the entire state machine, implements deterministic guardrails, and conducts state‑aware red teaming. The era of treating AI safety as a single‑turn prompt problem is over.
Prediction:
- -1 The /btw bypass will be weaponized by threat actors within weeks, leading to a wave of AI‑assisted cyberattacks that exploit state‑management weaknesses in commercial AI coding agents.
- -1 Enterprises will face increased regulatory scrutiny as AI agent state‑management failures become a recognized attack vector, with compliance frameworks struggling to keep pace.
- +1 The disclosure will accelerate the development of state‑aware security frameworks and deterministic guardrails, driving innovation in AI agent hardening.
- +1 AI red teaming will evolve to include state‑machine testing as a standard practice, with new tools and methodologies emerging to probe multi‑turn, multi‑path agent behaviors.
- -1 The complexity of securing AI agent state machines will outpace the capabilities of most security teams, creating a persistent gap between agent autonomy and security controls.
- +1 Open‑source projects like `fable5-mode` and `ptuf` will gain adoption as organizations seek practical, deterministic ways to enforce discipline and block dangerous tool calls without relying solely on model‑based safeguards.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Qi Deng – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


