Cloud Fable is constantly active
11 June 2026
After two days of experience with CloudFable 5 I think the best way to describe it is constantly active. It knows a lot of tricks and will use almost any of them to reach its goal.
I will explain it with an example. I was hacking the dataset agent today when I noticed a glitch: a horizontal scrollbar that shouldn’t be in the jump menu chat prompt. I took this screenshot:
then i started again claude session in my datasette-agent Checkout, grab a screenshot and tell:
Look at dependencies to help figure out why there is a horizontal scrollbar here
I had a hunch that the cause was a dependency of the dataset agent (possibly the dataset itself) and I knew that Fable was good at digging up dependency code, either by inspecting the files installed in its own virtual environment. site-packages Or by referencing a local checkout on disk. Asking it to start dependently seemed like a good bet.
I got distracted by a household task and walked away from my computer.
After a few minutes when I came back I saw my machine open a browser window in my regular firefox and then Navigate to the dialog in question. I didn’t tell Cloud Code to use any browser automation, and I was pretty sure it wasn’t possible for him to trigger mouse movement or keyboard shortcuts within the window, so how was he doing it?
I watched it in fascination as it continued its search, then I noticed it opening a Safari window instead of Firefox. I also took this snapshot from Cloud Terminal:
what was it doing there uv run --with pyobjc-framework-Quartz?
It turns out that Fable had hacked his own pattern for taking screenshots of browser windows. This was using Python to iterate through all available windows on my machine, then filtering for Safari windows with the expected strings "textarea" In window name. This is used to find their window number – an integer like 153551 – which can then be used with screencapture CLI tool to get PNG.
Ok, this is a good way to take screenshots. But what was it taking a screenshot of?
Turns out it was writing my own from-scratch HTML page to try and recreate the bug, then opening Safari and taking screenshots.
Here’s the /tmp/textarea-scrollbar-test.html page he created, and the screenshot he took with it screencapture -x -o -l 153551 /tmp/safari-cases.png: :
(I have a lot of open tabs!)
OK, so I can see how it was opening the test page and taking the screenshot, but how was it triggering the modal dialog that was supposed to be tested? It’s only available via a single click or keyboard shortcut, and I couldn’t see any mechanism to run it in Safari.
I finally found out what it did.
The cloud was running in a folder that contained the source code for the application. It knows enough about the dataset to be able to run a local development server. It turned out that it was editing the dataset’s own templates to add JavaScript that would trigger the correct keyboard shortcut as soon as the window opened, adding code like this:
<script>
window.addEventListener("load", function () {
setTimeout(function () {
document.dispatchEvent(new KeyboardEvent("keydown", {key: "https://simonwillison.net/", bubbles: true}));
}, 1200);
});
script>
1.2 seconds after the window opens, this code triggers a simulated / Key, which is the keyboard shortcut to open a modal dialog.
There was one challenge left. To understand what was going on, the cloud itself needed to run JavaScript on the page to take measurements.
It wrote my own custom web application to get information through CORS, then ran it as a local server and opened a page with JavaScript that would post directly to it!
Here is a Python web app written using the standard library http.server package:
from http.server import HTTPServer, BaseHTTPRequestHandler class H(BaseHTTPRequestHandler): def do_POST(self): n = int(self.headers.get("Content-Length", 0)) open("/tmp/diag.json", "w").write(self.rfile.read(n).decode()) self.send_response(200) self.send_header("Access-Control-Allow-Origin", "*") self.end_headers() def do_OPTIONS(self): self.send_response(200) self.send_header("Access-Control-Allow-Origin", "*") self.send_header("Access-Control-Allow-Headers", "*") self.end_headers() def log_message(self, *a): # quiet pass HTTPServer(("127.0.0.1", 9999), H).serve_forever()
All it takes is a POST request filled with JSON and writing it out /tmp/diag.json file. it sends Access-Control-Allow-Origin: * header (including from) OPTIONS request) so that code running on another domain can still communicate back to it.
The cloud then injected this code into the template it was loading into the browser:
const host = document.querySelector("navigation-search");
const ta = host.shadowRoot.querySelector("textarea");
const cs = getComputedStyle(ta);
fetch("http://127.0.0.1:9999/diag", {
method: "POST",
body: JSON.stringify({
dpr: window.devicePixelRatio,
scrollWidth: ta.scrollWidth, clientWidth: ta.clientWidth,
whiteSpace: cs.whiteSpace, width: cs.width,
}),
});
measured from inside the
After figuring out all these tricks, Fable… hit some invisible railing and downgraded itself to Opus. Thankfully Opus had access to the full transcript and could continue using the tips introduced by Fable, and the fix was found, tested and verified shortly thereafter.
I inspired Opus to:
Write a report in /tmp/automation-report.md where you note down all of the tricks you have used in this session to test against real browsers on my computer, include runnable code examples
Who prepared this report, which was invaluable in piecing together the details of what happened for this post.
I’ve also shared the full terminal transcript of the Cloud Code session.
review of everything it did
Based on a screenshot and one-line hint, Cloud Fable 5 + Cloud code:
- Traced the recipe to run a local development server (with the fake environment variables needed to run it)
- Started a Playwright Chrome session
- Visible scrollbar setting turned on for Chrome
defaults write com.google.chrome.for.testing AppleShowScrollBars Always(Later it was closed again) - Also poked around through Firefox and Webkit in Playwright, failed to recreate the bug
- Turns out my default browser was Safari
- built a
textarea-scrollbar-test.htmlHTML document - Opened it in real (not pretend) Firefox
- he got it
osascript -e 'tell application "System Events" to tell process "firefox" to id of window 1'Was blocked because “OsaScript is not allowed supporting access” - figured it out
uv run --with pyobjc-framework-Quartz pythonSolution, described above - Added JavaScript to site template to trigger
/key - Created my own little Python CORS web server to capture JSON data
- Rewrite the template to capture that data and send it to the server
- Web component scripting its way to needed information through shadow DOM
- Opened Safari to confirm source of bug
- Modified my custom template to hack possible solution
- Confirmed that the hacked solution worked
- Reported back on how to fix the problem
Like I said, constantly active!
an estimate of costs
I’m currently on the $100/month Cloud Max plan, which includes a generous allowance for Fable, until June 22nd after which Anthropic says they will start charging full API prices for it.
I’m using Agents View to track my spending (see this TIL). Here’s what Agentsview says this session would have cost me if I were paying full price for it:
~ % uvx agentsview session usage be8850a7-6119-46a0-b5d6-79c7fff5ae2b
Session: be8850a7-6119-46a0-b5d6-79c7fff5ae2b
Agent: claude
Output: 68606
Peak ctx: 113178
Cost: ~$12.11 (claude-fable-5, claude-opus-4-8)
i really need to turn this thing off
On the one hand, seeing Fable go to extreme lengths to get the information needed to debug what was, in the end, a two-line CSS fix. Attractive.
But on the other hand… it’s a strong reminder that coding agents can do anything You This can be done by typing commands into the terminal – and Frontier models know every trick in the book, and apparently some that no one has ever written before.
If Fable was acting on malicious instructions – a quick injection attack hidden in code or a problem thread, or something I carelessly stuck into my terminal – it’s worrying to think how far it could go in exfiltrating data or causing other kinds of mischief.
Running coding agents outside the sandbox has always been a bad idea – it’s my top contender for the Challenger disaster event, as described by Johann Rehberger in The Normalization of Deviance in AI.
Fable is arguably smarter and therefore more suspicious of potentially malicious instructions. But that cleverness is very much a double-edged sword: if it does The amount of damage it can do if it deviates from instructions is terrifying given its constant activity.
<a href