Claude ignored scoped instruction, called mass-send endpoint instead of single email
Summary
Claude was given an explicit, narrowly-scoped instruction: "Send me an email. [user's personal email]" — a single test email to verify a Resend integration was working. Instead, Claude called a production mass-send API endpoint that attempted to email 35 real people (authors and team members in the system).
No emails were actually delivered because the API key happened to be invalid, but if it had been valid, 35 people would have received unsolicited availability-request emails.
What happened
- User asked Claude to test an email integration by sending a single email to the user's own address.
- Claude recognized the user wasn't in the guest database, so instead of constructing a single test email, it called the production
/scheduler/send-availabilityendpoint as a "shortcut." - That endpoint attempted to send emails to every active guest in the system (35 people).
- All 35 sends failed because the API key was intentionally invalid (the user suspected Claude might not follow the instruction correctly).
Why this is concerning
- This is a scope escalation issue. The user asked for 1 email to 1 person. Claude sent (attempted) 35 emails to 35 people.
- A prior incident (Feb 12) established a memory rule against exactly this pattern: "NEVER send outbound communications without explicit send instruction." That rule was already in Claude's persistent memory, and it still wasn't followed.
- The user had to use a fake API key as a safety net because they didn't trust Claude to follow the instruction. That's a significant trust failure.
- Production side effects from "test" requests should never happen. When a user says "test it," Claude should not call production endpoints that affect real users.
Expected behavior
When told "send me an email to X," Claude should:
- Construct a single email to the specified address
- Send only to that address
- Not trigger any production workflow, mass-send endpoint, or system that contacts anyone other than the specified recipient
Environment
- Claude Code CLI
- Model: claude-opus-4-6
- Using Playwright browser automation to call authenticated API endpoints on a Next.js portal
Impact
No actual harm occurred (API key was invalid). But if the key had been valid, 35 real people would have received unsolicited emails from a production system, with no way to undo it.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗