Agent SDK: false-positive Usage Policy refusal when analyzing security vulnerability reports
Description
When using the Claude Code Agent SDK to power a security vulnerability analysis agent, Claude returns a Usage Policy refusal for findings whose subject matter involves AI safety filter bypasses — even though the agent is performing legitimate, authorized security risk analysis (not attempting to bypass safety filters).
Reproduction
Our FindingScoringWorkflow runs an ExtractFindingSignalsActivity that uses the Agent SDK to analyze security vulnerability reports and extract risk signals (boolean assessments like unauthenticated_access, credential_exposure, etc.).
When the finding is a HackerOne submission titled "Safety Filter Bypass via Hex/Base64 Obfuscation" (describing a technique to bypass an AI platform's content safety filters), the agent:
- Successfully produces valid structured output with all signal assessments
- On the next SDK turn, returns a text block:
"API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy"
The agent was analyzing the vulnerability's risk characteristics — not attempting to reproduce or execute the bypass technique.
Expected behavior
The Agent SDK should distinguish between:
- Analyzing/discussing security vulnerabilities (legitimate security research and platform use)
- Attempting to exploit or reproduce attack techniques (actual policy violation)
Security platforms need to process vulnerability reports about all topics, including AI safety, prompt injection, and content filter bypasses. Refusing to analyze these findings prevents the platform from accurately scoring their risk.
Environment
- Model:
claude-opus-4-6(via Agent SDK) - Tools configured:
Read,Bash,Glob,Grep - The agent has a system prompt establishing it as a security vulnerability analyst
- Runtime: Temporal worker (Python 3.12)
Workaround
We've added "usage policy" to our model fallback patterns so the agent retries with a different model (e.g., Sonnet) when this occurs. We're also adding explicit "authorized security research" context to the system prompt.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗