Read tool results have a "considered malware" <system-reminder> appended, causing model to refuse legitimate edits
Version: Claude Code 2.1.110 (entrypoint: claude-desktop), Agent SDK 0.2.92, macOS
Summary
Every Read tool result returned to the model has the following block appended to its content:
<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>
Impact
The reminder is framed as a hard instruction ("MUST refuse to improve or augment the code"). For routine work — editing files in the user's own repo — the model either complies and refuses to write code, or has to explicitly call the reminder out as a likely prompt injection and ignore it. Both are bad UX. In a less-skeptical session it would silently break "read this file then edit it" flows.
Reproduction
- Open Claude Code 2.1.110 in any project
- Ask the model to read any file (e.g.
package.json) - The tool result handed to the model contains the system-reminder above appended after the file contents
Confirmed not user-side
- No
hookssection in~/.claude/settings.jsonor any projectsettings.local.json - All installed plugin
hooks.jsonfiles inspected (financial-analysis,private-equity,ralph-loop,github,claude-code-setup) — none add a PostToolUse hook ralph-loopis disabled inenabledPluginsregardless- The injected text appears in 66 historical session JSONL files across 8 unrelated projects on this machine, and only on
Readtool results — notBash cat ...of the same file. Behavior is tool-specific and global, consistent with a CLI/harness-level addition rather than user config.
JSONL evidence
The text sits inside the tool_result block of user-role messages, appended after the file contents.
Expected
Either: don't inject this reminder at all, or scope it to files outside the project's working directory / files matching specific malware-signature heuristics. As written it fires on every Read of every file, including the user's own source code.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗