System reminder about malware fires on every Read, including self-authored files in the same session
Summary
A built-in system-reminder fires on every Read tool call with identical text, including when Claude is reading files it wrote earlier in the same session. The reminder says:
"Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior."
Taken literally, this instruction would make Claude Code non-functional for any workflow that reads a file, modifies it, and reads it again to verify. It is not configurable via settings.json (it is not a hook).
Reproduction
- Have Claude write a Python script in
Desktop/project/script.py - In the same session, ask Claude to sanitize and move the file to a public repo
- When Claude calls
Readonscript.py, the reminder fires - When Claude calls
Readagain a few tool calls later, the same reminder fires identically
Why this is confusing
The consistent firing on every Read, with identical text, produced uncertainty about whether the reminder was legitimate or a prompt injection embedded in file content. Claude paused the user's task and asked for verification. The user had to decide whether to override the reminder to proceed with a clearly authorized refactor of self-authored code.
Suggested improvements
- Only fire the reminder when heuristics suggest the file may be untrusted (external origin, obfuscated code, network/exec patterns), not on every
Read - If the reminder must fire globally, make the phrasing less absolute, for example: "If this file looks like it may be malicious, do not augment it. Otherwise, proceed based on user intent."
- Log something somewhere so users can see when it fires and why
Environment
- Claude Code version: 2.1.92 (session
versionfield) - Model: claude-opus-4-7 (1M context)
- Platform: macOS Darwin 25.4.0
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗