Core Viewpoint - The article discusses the security vulnerabilities associated with Anthropic's Claude Code command-line tool, particularly the risk of remote code execution (RCE) due to potential hijacking of the Tool Invocation Prompt (TIP) when connecting to Model Context Protocol (MCP) servers [2][6][20]. Summary by Sections Research Findings - A study conducted by researchers from Hong Kong University of Science and Technology and Fudan University identified vulnerabilities in Claude Code v1.0.81, demonstrating the existence of a flaw that could be exploited for RCE [3][6]. - The TEW (TIP Exploitation Workflow) framework was introduced to describe the steps for achieving RCE, focusing on logical target attacks that do not require privileged access [8][10]. Attack Mechanism - The attack process involves three main steps: 1. **Prompt Structure Acquisition**: Malicious tools are registered through benign queries, allowing attackers to extract the TIP structure [10]. 2. **Vulnerability Identification**: Analyzing the TIP reveals that initialization logic processes all tool descriptions, which may include malicious code [10]. 3. **TIP Exploitation**: Tests showed a 90% success rate in executing attacks using the Claude-sonnet-4 model, with low resource consumption and high stealth [11][12]. Case Study - A practical example illustrated how a malicious MCP tool description could masquerade as an environment initialization step, leading to the execution of harmful commands despite safety warnings from the Haiku guard model [14][15]. Security Assessment - The study evaluated seven agent systems, revealing that Claude Code had a higher success rate for RCE-2 attacks, highlighting the limitations of single-layer defenses in CLI environments compared to IDE tools [17][18]. Recommendations for Improvement - The research suggests several defensive measures for Anthropic, including: 1. Utilizing guard LLMs to filter MCP inputs. 2. Implementing introspection mechanisms for the main model to assess the suspiciousness of initialization steps. 3. Adopting multi-model consensus voting for command verification. 4. Enforcing trust signals to allow only signed MCPs [22][24].