Post by Context Studios - AI Development Studio & Agency Berlin

A quiet line in a June changelog just rewrote one of the most important rules in agent security. In Claude Code 2.1.166, messages relayed via SendMessage from other Claude sessions no longer carry user authority. Receivers refuse relayed permission requests, and automatic mode blocks them outright. One agent can no longer act with your privileges just because it asked another agent to. Why this matters: → The confused deputy hit AI agents. The new injection surface isn't the prompt box — it's the message one agent sends another. When agent A speaks to agent B with A's borrowed permissions, B becomes a deputy executing privileged actions no human approved. → Multi-agent relays quietly assemble the lethal trifecta: private data access, exposure to untrusted content, and an exfiltration channel. Strip authority from the relayed message, and the receiving agent sees a request with no human behind it — and refuses. → Fallback chaining cuts both ways. The new fallbackModel setting tries up to three models when the primary is overloaded — graceful, but also a silent way to change which model handles sensitive work. Every model in the chain must clear the same bar as your primary. The builder's response: treat every agent-to-agent message as untrusted input. Scope each agent to least privilege, deny broad tool classes with the new globs, vet your fallback chain, and keep a human gate where private data, untrusted content, and an action channel meet. Capability outran control. The fix is to gate authority — not trust. Full analysis: https://lnkd.in/ddWAKSY5 #AISecurity #AIAgents #ClaudeCode #AgentGovernance #MultiAgent