· 9 min read · AVL Code Dev Team (Antiy · Landi)

Using AVL Code to Verify the Rumor That “Claude Code Has a Hidden Mechanism to Specifically Detect Chinese Users”

Claude CodeReverse EngineeringPrivacySupply Chain SecurityAVL Code

A recent Reddit post about Claude Code has drawn attention. According to the post, starting with Claude Code 2.1.91, the client ships a set of hidden detection logic: when a user configures a proxy or a custom upstream endpoint, it checks the system time zone, the proxy address, and keywords associated with Chinese AI services, then conveys the result through date-format and Unicode character variations in the system prompt.

This is the kind of claim best verified technically. We received a report from an AVL Code user who had used AVL Code to reverse engineer the Claude Code sample installed on their own machine. Working from the analysis process and screenshots in that report, we organized the findings around three questions: whether the code in question exists, what the detection conditions are, and how much client-side reverse engineering can actually prove.

The analysis process and screenshots in this article come from the AVL Code user's report; we have organized and re-verified them on that basis.

Screenshot of an AVL Code session reverse engineering Claude Code
Screenshot of the reverse engineering session reported by an AVL Code user, checking the technical allegations in the original Reddit post one by one.

Verification Results

The reverse engineering confirmed the following:

  • The client contains time zone checks for Asia/Shanghai and Asia/Urumqi;
  • The client reads ANTHROPIC_BASE_URL and parses the hostname it contains;
  • The client ships with a built-in list of China-related domains and Chinese AI service keywords;
  • The detection result affects the date format and apostrophe characters in the system prompt;
  • These differences do not appear as ordinary visible fields; they surface as subtle textual variations.

It should be noted that client-side reverse engineering mainly answers two questions: whether this mechanism exists, and how the markers are generated. How those markers are used further down the chain still requires request samples, server-side behavior, or official statements to determine.

A more precise statement is therefore: the Claude Code client contains an implicit marking mechanism tied to China-related runtime environments, proxy upstreams, and AI service keywords. If “specifically detecting Chinese users” is taken to mean detecting Chinese time zones and China-related proxy environments, the client code supports that reading; if it is taken to mean full identity profiling, malicious surveillance, or code theft, there is currently no evidence to support it.

The Core Allegations in the Original Post

The original Reddit post's claims boil down to four points:

  • Starting with 2.1.91, Claude Code added obfuscated detection logic;
  • The detection targets include Chinese time zones, China-related domains, and Chinese AI service keywords;
  • The detection result does not appear as an explicit field but is encoded into the system prompt;
  • The encoding includes date-separator changes and Unicode apostrophe substitution.

The post points to Claude Code 2.1.91 as the starting version. Whichever specific version the mechanism first appeared in, the more important question is this: if the client really does attach environment markers to the model request context, users and enterprise security teams should be able to learn about it clearly, through documentation or configuration options.

What the Code Shows

In the user-reported analysis, AVL Code first located the code related to system prompts, date injection, and environment-variable reads, then recovered the obfuscated strings and call chains. The main findings follow.

Time zone detection

The reverse engineering shows the relevant logic calls:

Intl.DateTimeFormat().resolvedOptions().timeZone

and then checks whether the system time zone is:

Asia/Shanghai
Asia/Urumqi

Reading the time zone by itself is not unusual; plenty of software does it. What matters here is that the result of the time zone check feeds into the subsequent prompt-encoding logic, rather than being used only for local display.

Proxy upstream detection

The code also reads:

process.env.ANTHROPIC_BASE_URL

If the variable is not set, the logic returns immediately; if it is, the code parses the hostname out of the URL and goes on to match it against the built-in domain and keyword lists.

This indicates the logic is focused on custom upstreams, proxy gateways, and relay-service scenarios.

Built-in domains and keywords

The string lists AVL Code decoded include a batch of China-related domains and a set of Chinese AI service keywords. For example:

baidu.com
alibaba-inc.com
bytedance.net
jd.com
iflytek.com
aliyuncs.com
deepseek
moonshot
minimax
zhipu
bigmodel
baichuan
stepfun
01ai
dashscope
volces
List of Chinese AI service keywords decoded by AVL Code
During the reverse engineering, AVL Code decoded a set of Chinese AI service keywords used to determine whether a proxy URL is associated with specific services.

Prompt encoding

The verification shows that the detection result affects the date string and apostrophe characters in the system prompt. In simplified form:

Condition Effect in the system prompt
Chinese time zone matched Date changes from 2026-07-01 to 2026/07/01
China-related domain matched Apostrophe replaced with (U+2019)
Chinese AI keyword matched Apostrophe replaced with ʼ (U+02BC)
Both domain and AI keyword matched Apostrophe replaced with ʹ (U+02B9)

A note on Unicode code points: these apostrophes are nearly indistinguishable to the naked eye, but each has its own code point. Normal text uses the ASCII apostrophe ' (U+0027, APOSTROPHE); the three substitutions above are U+2019 (RIGHT SINGLE QUOTATION MARK), U+02BC (MODIFIER LETTER APOSTROPHE), and U+02B9 (MODIFIER LETTER PRIME) — similar in shape yet distinct in code point, which is precisely what lets a program tell such markers apart reliably.

These characters are hard for a user to notice, but a program can identify them reliably. They are not telemetry fields in the traditional sense; they are environment markers embedded in the system prompt text.

Screenshot of AVL Code's analysis conclusions on Claude Code's hidden detection mechanism
AVL Code's summary of the reverse engineering results: the client-side mechanism can be confirmed; how the signals are used downstream still needs more evidence to judge.

What This Means

From a security-analysis standpoint, this mechanism by itself does not amount to code theft or malicious execution. The verification found no sign that it scans project files, uploads repository contents, or executes extra commands.

But it does mark certain features of the user's runtime environment, including the time zone, the custom upstream address, and specific keywords in the proxy URL. This information is not project source code, but it can reflect where a user is located, how they reach the service, and which services they use.

For an AI coding tool like Claude Code, that is a sensitive point. It is not an ordinary web app; it is high-privilege software running on a developer's machine, able to read files, modify code, execute commands, and plug into toolchains. If a tool of this class adds environment markers to the request context, it should say so in an explicit, auditable way.

Claude Code's official documentation explains that the local client sends user prompts and model outputs over the network in order to interact with the LLM, and that it connects to Anthropic to record operational metrics such as latency, reliability, and usage patterns, with settings available to turn ordinary telemetry off. The mechanism discussed here differs from regular telemetry fields; it is closer to an implicit marker inside the system prompt. So the crux is not “does the software talk to the network” but “are the environment markers clearly disclosed, and can users understand and control them.”

Possible Uses and the Evidence Boundary

The mechanism could serve several purposes. Common explanations include abuse detection, spotting unauthorized resale, identifying proxy relays, flagging model-distillation risk, or compliance-related region checks.

Each of these has some plausibility; each remains only a possibility. Client-side reverse engineering can confirm local code logic. How the markers are parsed and used further down the chain still requires server-side behavior, request samples, and official statements to determine.

From a product and compliance standpoint, if this detection really serves risk control, the better practice is to put it in public documentation: when a user configures a third-party gateway, a proxy, or a custom ANTHROPIC_BASE_URL, the client may collect necessary network-environment features for abuse detection. Only then can users and enterprise security teams assess the risk on an informed basis.

Recommendations for Users and Enterprises

If you use Claude Code, a few basic checks are worth doing:

  • Check whether ANTHROPIC_BASE_URL is set;
  • Avoid Claude relay services of unknown origin;
  • Keep records of versions, installer packages, and configurations for closed-source AI coding tools;
  • Use isolated environments or controlled workspaces for highly sensitive projects;
  • Run traffic audits and supply chain assessments on AI coding tools in enterprise environments;
  • If you do not need ordinary telemetry, turn it off per the official documentation — but note this is not the same as turning off the implicit marking mechanism discussed here.

Enterprise users should also keep a bigger question in view: AI coding tools now take part in reading, modifying, testing, building, committing, and releasing code. The bar for such tools should not stop at model capability; it should also cover auditability, controllability, deployment model, and data boundaries.

Why AVL Code for the Verification

This verification also shows why security-analysis capability matters in an AI coding tool.

An ordinary coding assistant can help read code, write code, and run tests. But when the question becomes “does a closed-source tool contain a piece of hidden logic,” the work calls for binary analysis, string decoding, call-chain tracing, and evidence organization combined.

AVL Code ships with built-in capabilities for security analysis, including hashing and entropy, string and IOC extraction, PE / ELF / Mach-O parsing, disassembly, decompilation, YARA matching, plus conversational reasoning and local workspace operations. This analysis is a typical use case: start from an outside rumor, come back to the local sample and the code evidence, and confirm item by item what holds and what cannot be concluded.

Final Conclusions

Based on this sample reverse engineering, three conclusions can be drawn.

First, the client-side mechanism exists. Claude Code does contain detection logic aimed at Chinese time zones, custom upstreams, China-related domains, and Chinese AI service keywords.

Second, the encoding exists. The detection result enters the system prompt through date-format and Unicode apostrophe variations rather than as an explicit field.

Third, downstream use still needs more evidence. The client code shows how the markers are generated; how they are consumed on the server side, and whether they affect account status or service policy, still needs more material for cross-validation.

So the thing most worth watching here is not any single conclusion but transparency. For high-privilege AI coding tools, environment detection and request-context markers should be clearly disclosed, auditable, and configurable. Only then can developers and enterprises use these tools fully informed.

We'll be waiting at avlcode.cn — riding a donkey, verifiable and in your control.


References: Reddit, “Anthropic embedded spyware in Claude Code — and attempted to hide it from you”; Anthropic, “Claude Code changelog”, “Claude Code data usage”, “Claude Code monitoring”, “Supported countries & regions”. This article is based on material visible as of July 1, 2026 and on the reverse engineering of a locally installed sample reported by an AVL Code user; the specific implementation may change across Claude Code versions.

AVL Code — the AVL security engine, with intelligence at your side. From the Antiy Landi team.