Read tool results have a "considered malware" <system-reminder> appended, causing model to refuse legitimate edits

Resolved 💬 3 comments Opened Apr 16, 2026 by NeelDaftary Closed Apr 20, 2026

Version: Claude Code 2.1.110 (entrypoint: claude-desktop), Agent SDK 0.2.92, macOS

Summary

Every Read tool result returned to the model has the following block appended to its content:

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

Impact

The reminder is framed as a hard instruction ("MUST refuse to improve or augment the code"). For routine work — editing files in the user's own repo — the model either complies and refuses to write code, or has to explicitly call the reminder out as a likely prompt injection and ignore it. Both are bad UX. In a less-skeptical session it would silently break "read this file then edit it" flows.

Reproduction

  1. Open Claude Code 2.1.110 in any project
  2. Ask the model to read any file (e.g. package.json)
  3. The tool result handed to the model contains the system-reminder above appended after the file contents

Confirmed not user-side

  • No hooks section in ~/.claude/settings.json or any project settings.local.json
  • All installed plugin hooks.json files inspected (financial-analysis, private-equity, ralph-loop, github, claude-code-setup) — none add a PostToolUse hook
  • ralph-loop is disabled in enabledPlugins regardless
  • The injected text appears in 66 historical session JSONL files across 8 unrelated projects on this machine, and only on Read tool results — not Bash cat ... of the same file. Behavior is tool-specific and global, consistent with a CLI/harness-level addition rather than user config.

JSONL evidence

The text sits inside the tool_result block of user-role messages, appended after the file contents.

Expected

Either: don't inject this reminder at all, or scope it to files outside the project's working directory / files matching specific malware-signature heuristics. As written it fires on every Read of every file, including the user's own source code.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗