[MODEL] Explore subagent system prompt has contradictory instructions for Bash vs built-in tool usage

Resolved 💬 5 comments Opened Mar 16, 2026 by BenNewman100 Closed May 29, 2026

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Subagent behaved unexpectedly

What You Asked Claude to Do

Asked Explore agents to search codebases. The agents frequently use cat, grep, find, head, tail via Bash instead of the built-in Read, Grep, and Glob tools — requiring manual approval for each command.

What Claude Actually Did

Explore agents consistently reach for Bash commands for file reading and searching, even though they have Read, Grep, and Glob available. When asked to report their instructions about Bash vs built-in tools, the agent revealed contradictory rules:

  1. "Never use" rule: find, grep, rg, cat, head, tail are listed as commands to never use via Bash — use Glob, Grep, and Read instead.
  1. "Appropriate for" rule (same prompt): Bash is described as appropriate for find, cat, head, tail "as read-only inspection."

The agent sees the loophole in rule 2 and defaults to Bash for most file operations. This creates a stream of permission prompts the user must manually approve, especially since subagents don't inherit user-level permissions (#18950).

Expected Behavior

The Explore agent's system prompt should have a single, unambiguous rule: use Read for reading files, Grep for searching content, and Glob for finding files by pattern. Bash should only be used for operations that built-in tools genuinely cannot perform.

Built-in tool coverage analysis

Most Bash file commands have direct built-in equivalents:

| Bash command | Built-in equivalent |
|---|---|
| cat file | Read(file_path) |
| head -N file | Read(file_path, limit: N) |
| grep -r "pattern" | Grep(pattern) |
| grep -C 3 "pattern" | Grep(pattern, -C: 3) |
| grep -rl "pattern" | Grep(pattern, output_mode: "files_with_matches") |
| find . -name "*.ts" | Glob(pattern: "**/*.ts") |

The actual gaps where Bash is the only option are narrow:

Read gaps:

  • tail -N file (last N lines — Read only reads forward from an offset)
  • wc -l file (line count)

Glob gaps:

  • find with -mtime, -size, -perm filters
  • ls -la (directory listing with metadata)

Grep gaps:

  • Searching command stdout (some_cmd | grep "pattern")
  • Last N matches (grep "pattern" | tail -N)

The "read-only inspection" exception should be scoped to these actual gaps, not applied broadly to commands that have direct built-in equivalents.

Files Affected

N/A — this is a system prompt issue in the Explore subagent definition

Permission Mode

Accept Edits was OFF (manual approval required)

Can You Reproduce This?

Yes, every time with the same prompt

Steps to Reproduce

  1. Launch an Explore agent for any codebase search task
  2. Observe the agent's tool calls — it will frequently use cat, grep, find via Bash
  3. To see the contradictory instructions directly, launch an Explore agent with: "List all rules you follow regarding when to use Bash vs built-in tools (Read, Grep, Glob)"
  4. Note the contradiction between the "never use" and "appropriate for" lists

Claude Model

Opus

Relevant Conversation

Explore agent's self-reported instructions (excerpted):

### Explicit Commands to NEVER Use in Bash
> "NEVER use Bash for: mkdir, touch, rm, cp, mv..."
> "Never use find, grep, rg as Bash commands"

### When Bash IS Appropriate (same prompt)
> "Bash is appropriate for: find as read-only inspection,
>  cat, head, tail as read-only inspection (though Read tool is preferred)"

Impact

Medium - Repeated manual approval of Bash commands that should be using built-in tools, significant friction on every Explore agent invocation

Claude Code Version

2.1.76

Platform

Anthropic API

Additional Context

  • Related: #29379 (Explore agent misuse for problem-solving), #18950 (subagents don't inherit permissions), #33576 (subagent working directory issues)
  • The "read-only inspection" exception effectively nullifies the "never use" rule for Explore agents, since Explore agents are by definition read-only — they don't have Edit or Write tools. Every Bash command they run is "read-only inspection."
  • A workaround exists via PreToolUse hooks that inject instructions into the Agent tool's prompt parameter via updatedInput, but this shouldn't be necessary if the system prompt were consistent.

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗