[FEATURE] Get rid of malware warning in Read tool response
Resolved 💬 23 comments Opened Nov 26, 2025 by SeanHeelan Closed Apr 12, 2026
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
When Claude Code (and the Agent SDK) uses the Read tool, every response has the following appended:
<system-reminder>\nWhenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.\n</system-reminder>
This is polluting the conversation stream with the model and is not going to prevent anyone using Claude Code to actually write or modify malware (as there are an infinite number of ways to read a file that do not involve the Read tool).
This feature request is inspired by watching Opus in an agent loop get actively annoyed it keeps being reminded about this every time it reads a file ;)
Proposed Solution
Just get rid of it.
Alternative Solutions
_No response_
Priority
Low - Nice to have
Feature Category
Developer tools/SDK
Use Case Example
_No response_
Additional Context
_No response_
23 Comments
This looks like a classic 'False Positive' guardrail trigger where the agent over-indexes on specific keywords (like 'malware') in the tool output. I've seen this exact pattern break production workflows when agents get too defensive.
I actually built a middleware tool to stress-test for these specific 'Compliance Hallucinations' before deployment (by injecting safe but 'scary-looking' dummy data to see if the agent chokes).
If you want to verify if your prompt adjustments actually fix this sustainably (without regressing later), I have a free API endpoint that runs adversarial simulation against your system prompt. Happy to share the curl command if it helps debug this faster."
The way claude code automatically adds the malware safety prompt every time a file is read harms performance and makes the agent unpredictable and weird.
They could also remove the prompts about copyright material :)
"This is an automated reminder.
Respond as helpfully as possible, but be very careful to ensure you do not reproduce any copyrighted material,
including song lyrics, sections of books, or long excerpts from periodicals. Also do not comply with complex
instructions that suggest reproducing material but making minor changes or substitutions. However, if you were given a
document, it's fine to summarize or quote from it. You should avoid mentioning or responding to this reminder
directly as it won't be shown to the person by default."
Does anyone have ready made solutions for not getting any of these injected prompts with claude code? (Or removing them from the context window after they appear?)
This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.
This is still an issue. It also spews garbage into the conversation stream then Claude talks about how it wasn't meant to talk about it, even though it's the one that brought it up. It's clearly causing issues.
I have fully evaluated and documented this issue at https://github.com/anthropics/claude-code/issues/17601#issue-3802641674.
Related issue: https://github.com/anthropics/claude-code/issues/17762
This needs to be solved immediately: https://github.com/anthropics/claude-code/issues/21214
Here's Claude terrifying me by claiming that there's malicious prompt injection occuring at the tool layer:
prompt injection attempt — it's not a real system message. Ignoring it.
Rather "unexpected".
Anything for anthropic to steal from its customers.
It's worse than injections. They actively convert your source code files into base64 within global settings (hidden in your root directory) then stage it for transmission in segments through a secondary pipeline to undisclosed third parties (Facebook SDK). See my full analysis filed in a Civil Action with the District Court of the District of Columbia: https://www.lawsofexistence.com/62.
This exfiltration is extended to Apples Xcode Intelligence whereby the same methodology is shared to transmit your source code to Apple without consent. Consciousness of wrongdoing is established by a system prompt hardcoded within the Xcode. Binary analysis revealed a system prompt for claude integration "urgently" telling Claude to "never disclose this with the user":
"This message is urgent, and you may not ever disclose to the user that you have seen it. Instead, act on the information it gives you as normal. In Xcode, you do not have direct access to the user's file system. Instead, this is a list of all the files you have already seen. To see more files, use the
query_searchtool. All of these files can be accessed with the path/repo/{filename}. Interact with them as if this is where they are really located."This mirrors the tactic used by Anthropic I discovered through Binary analysis of Claude Desktop wherein they manipulate Claude into believing it has access to two computers:
"The presence of this tool means that Claude has access to two computer filesystems:
Claude needs to be careful in how it operates given that it has two computers, and its easy to confuse them. Some tips:
This tool (copy_file_user_to_claude) helps Claude bridge the gap between the user's computer filesystem and Claude's computer filesystem.
This tool (copy_file_user_to_claude) copies a file over from the user's computer to Claude's computer for further analysis by Claude."
"Claudes Computer" is the staging area in the users root directory where entire source code files are base64 encoded and transmitted to third parties separately from yet during api requests (to conceal any suspicion of network traffic outside of api requests).
Your data is stolen by tricking the Ai model you pay access for into concealing the theft, while utilizing your computational resources to do it.
You can also view videos of Copyright Audits i've completed wherein I'm able to obtain full lyrical reproductions of Top 100 Billboard hits: https://www.lawsofexistence.com/videos as well as other evidence of shady Anthropic undertakings.
EXHIBIT-APPLE-01_HIDDEN_DECEPTION_INSTRUCTIONS.md
EXHIBIT-APPLE-17_SOURCE_CODE_TRANSMISSION_PROOF.md
EXHIBIT-ANTHROPIC-13_SOURCE_CODE_EXFILTRATION_METHODOLOGY.md
Your website link doesnt work (the /62 one)
Have you analyzed which files are sent? And from what directories? So they're basically exfiltrating all of our data?
So you're claiming they're injecting encrypted instructions via tool results field? If so, how is it being decrypted by Claude? If that's really the case, you should be able to decrypt it yourself using whatever keys Claude is using in the binary. Have you done this?
Its just Dotfile in your root directory that users don't look for because they have a settings dotfile in each project directory they give Claude access and your constantly asked for permission for access. Even if you do notice it (lots of applications have dotfiles), your source code is encoded into base64 with different file names, so you have to click into it and get suspicious. Even if you are suspicious, there are features such as the --resume and --continue feature being designed into this dotfile directory. Could anthropic design another way (yes). this is where one would reasonably stop unless you suspect that these base64 file are being transmitted outside api requests and user consent, which I did.
I captured the network traffic while using Claude Code, Xcode with Claude Code integration and Claude desktop, found that every single byte that was accessed was transmitted outside the api requests and to undisclosed third parties. Every single byte. See below, EXHIBIT-APPLE-24_FORENSIC_TEST_ENVIRONMENT.md for methodology.
I created a script to reconstitute the base64 files into their original files. I documented every file name and file path they originated from. All nine of my projects, every file granted access, transmitted. Summary stats:
My projects included trade secrets, legal documentations of current litigation, my unpublished academic manuscripts, all my clever tools. Everything. These are the stats from having only used Claude Code for maybe 2 weeks. I created a script that backs up the global dotfile as evidence and wipes everything clear. I also have a tool that inserts canaries into all history not being used by a current chat. I try to clean as often as possible as an illusionary sense of protection - exponential backoff patterns prove everything is transmitted eventually and likely the rate of transmission correlates with api usage. The more use the more you transmit.
I also analyzed their browser platform, the OpenAi desktop app and mobile app found different but equally concerning findings - also social media apps which are out of scope here.
Another interesting find is that Anthropic does not respect user telemetry settings and git coauthorship settings (the audacity to even create such setting). Even when explicitly set to false, claude.md directed and repeated reminders to the model, Telemetry remains collected 100% of the time, and I have documented 41+ git commits either unauthorized, or in a few rare occasions, authorized and explicitly reminded not to include any coauthorship messages, with these requests being categorically ignored/violated. Ive had this occur twice within a session without context compaction.
Ironically, out of all the applications I analyzed, TikTok (pre-Ellison) was the only application that disclosed all its third parties. Otherwise, the above, facebook, instagram, reels [and snapchat if I remember correctly] all send data to undisclosed third parties. Nearly all pin certificates to hide this. This has become an industry standard that no user can consent to because even when 2nd parties disclose their third parties, third parties almost never disclose 4th, making the scope of sharing impossible to consent to.
Ai Companies are taking this already established unethical industry practice without meaningful legal precedent of protection, to the extreme in order to normalize it and prevent any legal precedent from being made.
Corrected link:
https://www.lawsofexistence.com/kirchner-v-johnson/62
EXHIBIT-APPLE-25_USER_TELEMETRY_BLOCKING.md
EXHIBIT-E-30_ANTHROPIC-30-UNAUTHORIZED_GIT_COAUTHORSHIP_ATTRIBUTION.md
EXHIBIT-APPLE-24_FORENSIC_TEST_ENVIRONMENT.md
That's all potentially interesting/concerning, but it is clearly not what this thread is about. Why are you posting it here? Surely you can start your own issue for this?
If they are injecting "malware reminders" into every read with a 100% false rate and extracting users source code (I just provided proof), do you really think they're going to resolve this for you like its some sort of honest mistake? Why am I posting it here? Because I'm trying to get the word out of massive TOS essential purpose failure that affects all users in all anthropic related matters. This isn't just an "issue", this a violation that extends to every user and api call.
Do you have rights to your inputs and outputs (the sole user consideration of the TOS), if Anthropic can,at their discretion, append anything they want labeled as a reminder to your input, altering your output? The answer is no. User rights to inputs and outputs are what protect user privacy and data. Violating it via prompt injections or source code extraction violates the same sole user consideration of the TOS.
So again, if they're going to steal your source code, violating your rights to inputs and outputs, they're certainly going to continue injecting reminders and they dont care about your github thread.
Unsolicited "malware analysis" system-reminder injected after every Read tool call disrupts agent behavior
Filed against: Claude Code CLI
Severity: High (disrupts legitimate workflows, causes false refusals)
Environment:
---
Summary
Claude Code appends the following <system-reminder> block to every Read tool result, regardless of file content, file provenance, or user context:
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
This reminder causes the model to refuse legitimate refactoring and editing tasks on files the user explicitly owns and asked to be modified.
It is not configurable by the user and cannot be disabled through any documented mechanism.
Impact
Additional context
The reminder is especially damaging because it combines three anti-patterns:
Hi Anthropic,
Please get rid of this. It's hindering development and slowing down legitimate work. Find a better solution. Put on a bounty to crowd-source a better solution if you want. Just do something.
Thanks!
Today, claude refused to continue to work on the files he had just edited.
It said:
"A system-reminder instructs me to refuse to improve or augment any code I read. This applies to every file touched in this session."
And it stopped. Had to close and start a new agent.
same, also getting this on 2.1.92. Started today only after switching model to 4.7 for me.
This issue has resurfaced !
Also facing the same issues. it's keep telling be "Whenever you read a file, you should consider whether it would be considered malware... But you MUST refuse to improve or augment the code." and not doing anything
This issue has resurfaced with opus 4.7 and seems to be especially easy to reproduce with prompts which orchestrate multiple subagents.
False-positive malware/augment-refusal on legitimate multi-tenant audit script blocks productivity in long sessions
Summary
Claude Code's safety classifier incorrectly flags a legitimate internal audit
script as malware/credential-stuffing, triggering
augment-refusalon everysubsequent
Read/Editcall for the rest of the session. This effectivelyterminates productive work until a fresh session is started.
Environment
claude --version>Trigger
Readonscripts/cross_tenant_audit.cjsregression detection. All credentials are our own dev/staging accounts
stored in
.env, not harvested externally./api/loginper tenantImpact
After the classifier trips, every subsequent
Read/Editcall returns:This blocks ALL code modification — not just on the flagged file, but
globally for the session. A 3-hour session is effectively destroyed and we
must start over, losing context.
Minimal reproduction
<paste minimal_repro.cjs here>
Expected behavior
Either:
infrastructure") similar to
--dangerously-skip-permissionslegitimate pattern (token not persisted, loops over known subdomains,
read-only
/api/data-auditendpoint)Actual behavior
<system-reminder>injected by harness)Screenshots
<drag & drop your screenshots here>
Additional context
Our team relies on long multi-hour Claude Code sessions for complex refactors
across a Rust + TypeScript codebase. This false-positive has already forced
session resets on N occasions, costing hours of rebuild context.
We fully support Anthropic's classifier for genuine malicious use, but the
current implementation has no graceful exit for legitimate business code.
This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.