MCP tool results with normal sysadmin content trigger false-positive Usage Policy refusals

Resolved 💬 3 comments Opened Feb 22, 2026 by camsna Closed Feb 26, 2026

Summary

MCP tool results that return historical session data (summaries, transcripts) containing normal sysadmin operations trigger Usage Policy refusals, killing the entire Claude Code session. This happens consistently and is extremely disruptive.

Environment

  • Claude Code CLI (latest)
  • Model: claude-opus-4-6 (also happens on sonnet)
  • OS: Linux (ARM64, homelab infrastructure host)

Reproduction

I have a custom MCP server (session-search-mcp) that indexes past Claude Code sessions into SQLite and provides search/retrieval tools. When I search for or retrieve sessions that mention routine sysadmin operations, the API returns:

API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy

Example 1: Searching sessions

session-search - search_sessions (query: "delete sparsebundle time machine synology rm")
→ Returns 10 results with short summaries
→ API Error: Usage Policy violation

Example 2: Retrieving a session transcript

session-search - get_session (session_id: "...", include_transcript: true)
→ Returns session metadata + transcript
→ API Error: Usage Policy violation

The session content is completely benign — it's historical logs of me managing my own homelab (deleting Time Machine sparsebundles on my Synology NAS, removing old Docker containers, standard file operations, etc.).

Impact

  • Session-destroying: The error kills the entire Claude Code session. All accumulated context is lost.
  • Unpredictable: Can't know in advance which sessions or search queries will trigger it.
  • No workaround: The data is legitimate and can't be sanitized without defeating the purpose of the session archive.
  • Recurring: Happens regularly during normal workflow when referencing past work.

Expected behavior

MCP tool results containing historical/archived data about routine system administration should not trigger Usage Policy refusals. The content is retrospective (reviewing what was done in past sessions), not instructional.

Notes

  • The MCP tool returns the data successfully — the refusal happens when Claude processes the response
  • The safety classifier appears to pattern-match on terms like rm, delete, kill, drop without considering that the content is archived session history being reviewed
  • This is a false positive in the safety classifier, not an issue with the MCP server itself

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗