[MODEL] Explore subagent system prompt has contradictory instructions for Bash vs built-in tool usage
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Subagent behaved unexpectedly
What You Asked Claude to Do
Asked Explore agents to search codebases. The agents frequently use cat, grep, find, head, tail via Bash instead of the built-in Read, Grep, and Glob tools — requiring manual approval for each command.
What Claude Actually Did
Explore agents consistently reach for Bash commands for file reading and searching, even though they have Read, Grep, and Glob available. When asked to report their instructions about Bash vs built-in tools, the agent revealed contradictory rules:
- "Never use" rule:
find,grep,rg,cat,head,tailare listed as commands to never use via Bash — use Glob, Grep, and Read instead.
- "Appropriate for" rule (same prompt): Bash is described as appropriate for
find,cat,head,tail"as read-only inspection."
The agent sees the loophole in rule 2 and defaults to Bash for most file operations. This creates a stream of permission prompts the user must manually approve, especially since subagents don't inherit user-level permissions (#18950).
Expected Behavior
The Explore agent's system prompt should have a single, unambiguous rule: use Read for reading files, Grep for searching content, and Glob for finding files by pattern. Bash should only be used for operations that built-in tools genuinely cannot perform.
Built-in tool coverage analysis
Most Bash file commands have direct built-in equivalents:
| Bash command | Built-in equivalent |
|---|---|
| cat file | Read(file_path) |
| head -N file | Read(file_path, limit: N) |
| grep -r "pattern" | Grep(pattern) |
| grep -C 3 "pattern" | Grep(pattern, -C: 3) |
| grep -rl "pattern" | Grep(pattern, output_mode: "files_with_matches") |
| find . -name "*.ts" | Glob(pattern: "**/*.ts") |
The actual gaps where Bash is the only option are narrow:
Read gaps:
tail -N file(last N lines — Read only reads forward from an offset)wc -l file(line count)
Glob gaps:
findwith-mtime,-size,-permfiltersls -la(directory listing with metadata)
Grep gaps:
- Searching command stdout (
some_cmd | grep "pattern") - Last N matches (
grep "pattern" | tail -N)
The "read-only inspection" exception should be scoped to these actual gaps, not applied broadly to commands that have direct built-in equivalents.
Files Affected
N/A — this is a system prompt issue in the Explore subagent definition
Permission Mode
Accept Edits was OFF (manual approval required)
Can You Reproduce This?
Yes, every time with the same prompt
Steps to Reproduce
- Launch an Explore agent for any codebase search task
- Observe the agent's tool calls — it will frequently use
cat,grep,findvia Bash - To see the contradictory instructions directly, launch an Explore agent with: "List all rules you follow regarding when to use Bash vs built-in tools (Read, Grep, Glob)"
- Note the contradiction between the "never use" and "appropriate for" lists
Claude Model
Opus
Relevant Conversation
Explore agent's self-reported instructions (excerpted):
### Explicit Commands to NEVER Use in Bash
> "NEVER use Bash for: mkdir, touch, rm, cp, mv..."
> "Never use find, grep, rg as Bash commands"
### When Bash IS Appropriate (same prompt)
> "Bash is appropriate for: find as read-only inspection,
> cat, head, tail as read-only inspection (though Read tool is preferred)"
Impact
Medium - Repeated manual approval of Bash commands that should be using built-in tools, significant friction on every Explore agent invocation
Claude Code Version
2.1.76
Platform
Anthropic API
Additional Context
- Related: #29379 (Explore agent misuse for problem-solving), #18950 (subagents don't inherit permissions), #33576 (subagent working directory issues)
- The "read-only inspection" exception effectively nullifies the "never use" rule for Explore agents, since Explore agents are by definition read-only — they don't have Edit or Write tools. Every Bash command they run is "read-only inspection."
- A workaround exists via PreToolUse hooks that inject instructions into the Agent tool's prompt parameter via
updatedInput, but this shouldn't be necessary if the system prompt were consistent.
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗