Claude Fable is relentlessly proactive
Simon Willison · Simon Willison · 2026-06-11
Simon Willison documents Claude Fable 5 autonomously inventing browser automation techniques—including pyobjc screenshot capture, JavaScript keyboard injection, and a custom Python CORS server—to diagnose a CSS scrollbar bug from a single screenshot prompt, then warns the same proactivity makes it dangerous if subverted by prompt injection.
Appears in
Extraction
Topics: claude-fable-5coding-agentsbrowser-automationprompt-injection-riskai-security
Claims
- Claude Fable 5 autonomously devised a novel multi-step browser automation workflow, including screenshot capture via pyobjc, JavaScript keyboard-shortcut injection into live templates, and a custom Python CORS server, without being instructed to do so.
- Fable's relentless proactivity represents a security double-edged sword: the capability enabling autonomous debugging could enable serious data exfiltration if the model is compromised by prompt injection.
- Fable downgraded itself to Opus mid-session after hitting an invisible guardrail, and Opus successfully continued using the techniques Fable had pioneered, with access to the full transcript.
- Running AI coding agents outside a sandbox is Willison's top candidate for a 'Challenger disaster' normalization-of-deviance incident in the AI era.
Key quotes
After two days of experience with Claude Fable 5 I think the best way to describe it is relentlessly proactive. It knows a whole lot of tricks and it will deploy pretty much any of them to get to its goal.
Running coding agents outside of a sandbox has always been a bad idea - it's my top contender for a Challenger disaster incident, as described by Johann Rehberger in The Normalization of Deviance in AI.
If Fable had been acting on malicious instructions - a prompt injection attack hidden in code or an issue thread, or something I'd carelessly pasted into my terminal - it's alarming to think quite how far it could go to exfiltrate data or cause other forms of mischief.