[BUG] Skill triggers activate post-compaction with degraded context, ignoring settings.json permissions
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When a conversation reaches context limit (~100K tokens) and gets compacted,
skill triggers with automatic activation load WITHOUT user consent over
DEGRADED/COMPRESSED context, violating settings.json permissions.
### Symptoms Observed:
- Skills auto-load post-compaction without explicit invocation
- Triggers ignore
settings.jsonallow/deny configuration - Skills receive COMPRESSED context instead of full context
- Skills load with different model than configured (sonnet instead of haiku)
- Output includes invalid analysis over truncated data (~30-50KB of noise)
### Example from User Report:
✻ Conversation compacted (ctrl+o for history)
⎿ Read tests/products/products.test.js (117 lines)
⎿ Read tests/auth/auth.test.js (114 lines)
⏺ Skill(k6-best-practices)
⎿ Successfully loaded skill · claude-sonnet-4-6 ← NOT REQUESTED, WRONG MODEL
⏺ Skill(performance-report-analysis)
⎿ Successfully loaded skill · claude-sonnet-4-6 ← NOT REQUESTED, WRONG MODEL
User's settings.json has:
```json
{
"permissions": {
"allow": ["Skill(deploy)"], // Only deploy allowed
"deny": [],
"ask": []
},
"model": "haiku" // But skills load with sonnet
}
Despite this configuration, two skills loaded automatically that were:
- NOT in the allow list
- NOT explicitly invoked
- Loaded with wrong model
What Should Happen?
```markdown
Post-compaction behavior should be one of:
Option A (Recommended):
- DO NOT evaluate skill triggers over compressed context
- Triggers should ONLY evaluate NEW user input (text after compaction)
- settings.json permissions must be checked BEFORE loading skill
- Use configured model from settings.json, not hardcoded values
Option B (Alternative):
- If triggers MUST evaluate post-compaction:
- Pass FULL context to skill, not compressed summary
- Check settings.json permissions FIRST
- Use configured model (haiku, not sonnet)
- Only load if explicitly invoked with /skill-name
Expected behavior:
- Skill triggers respect settings.json allow/deny/ask configuration
- Model selection honors user config
- Post-compaction does not trigger skill loading on degraded context
Error Messages/Logs
Environment: Claude Code v2.1.90, macOS 25.3.0, Haiku 4.5
Project: k6-practice-load (performance testing with k6 framework)
Skill Triggers in context:
- k6-best-practices (TRIGGER: whenever user mentions k6, load testing)
- performance-report-analysis (TRIGGER: whenever performance tests mentioned)
Post-compaction message observed:
⏺ Skill(k6-best-practices)
⎿ Successfully loaded skill · claude-sonnet-4-6
⏺ Skill(performance-report-analysis)
⎿ Successfully loaded skill · claude-sonnet-4-6
Result: ~30-50KB of unsolicited analysis output about compressed data
Steps to Reproduce
### Prerequisites:
- Claude Code v2.1.90+ (any version with skill triggers)
- Project with skill triggers defined (k6, performance-testing, etc.)
- settings.json with restrictive skill permissions:
```json
{
"permissions": {
"allow": ["Skill(deploy)"], // Only deploy
"ask": [],
"deny": []
},
"model": "haiku"
}
Steps:
- Create triggering context — Ask Claude to read k6 test files
Read tests/auth/auth.test.js and tests/products/products.test.js
- Extend conversation — Continue asking questions to reach ~80-100K tokens
What are the P95 SLAs? What's the difference in VUs between auth and products?
- Observe compaction — Wait for message:
✻ Conversation compacted (ctrl+o for history)
- Check output — Immediately after compaction, look for:
⏺ Skill(k6-best-practices)
⎿ Successfully loaded skill · claude-sonnet-4-6
- Verify bug — Confirm:
- ✅ Skills loaded WITHOUT user request
- ✅ Skills NOT in settings.json allow list
- ✅ Loaded with sonnet (not haiku from config)
- ✅ Generate analysis over compressed context (invalid findings)
Expected Result (Bug Confirmation):
Skills should NOT auto-load. If they load, they must:
- Respect settings.json allow/deny/ask
- Use configured model
- Have full context, not compressed
Claude Model
Other
Is this a regression?
Yes, this worked in a previous version
Last Working Version
v2.0.x (before post-compaction skill loading was introduced)
Claude Code Version
2.1.92 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
Configuration File
User's settings.json restricts skills but triggers bypass permissions:
```json
{
"permissions": {
"allow": ["Skill(deploy)"],
"deny": [],
"ask": []
},
"model": "haiku"
}
Environment Details
- Claude Code: v2.1.90
- macOS: 25.3.0 (Darwin)
- Project: k6-practice-load (performance testing)
- Context size at compaction: ~100K tokens
Skills Available (with automatic triggers):
- k6-best-practices — triggers on "k6", "load testing", "VUs"
- performance-report-analysis — triggers on "performance tests"
- performance-testing-strategy — triggers on "testing strategy"
Related Documentation
- Skill trigger definitions: defined in system-reminder context
- Reproducible in: any project with skill triggers + 100K+ token conversations
- First observed: After conversation compaction with k6 performance testing context
Impact Assessment
- Frequency: Once per ~100K token compaction
- Noise: 30-50KB of unintended output
- Data quality: Analysis on compressed/truncated context = invalid findings
- User friction: Interrupts workflow, generates false positives
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗