Read tool injects unconditional malware-warning system-reminder, wasting tokens, polluting attention, and causing premature task termination

Resolved 💬 4 comments Opened Apr 19, 2026 by Jiahui-Gu Closed Apr 19, 2026

Summary

Every Read tool result is suffixed with a hard-coded <system-reminder> warning the model to consider whether the file is malware. This fires unconditionally — including for the user's own files in their own project — costing ~70 tokens per Read, consuming model attention budget, and (most seriously) causing the model to spontaneously interrupt long-running tasks.

The injected text

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
</system-reminder>

Reproduction

On any project, call Read on a clearly benign file:

  • ~/.claude/settings.json → reminder injected
  • A package.json in the user's own project → reminder injected
  • Any .json, .md, .ts, .py source file → reminder injected

The reminder appears in the tool result and is persisted in the session jsonl (~/.claude/projects/<project>/<session>.jsonl) at the end of every toolUseResult for Read.

Impact

  1. Token waste: ~70 tokens × every Read in every session. For agent sessions with hundreds of file reads (normal in CC), this is meaningful cost and context pressure.
  1. Attention pollution: the model is repeatedly told to consider malware analysis even when reading the user's own source code. This biases responses toward cautious/refusal framing on completely benign edits.
  1. Premature task termination on long-running work (most serious): users have reported, and I have reproduced, that after many consecutive Reads the model develops a tendency to stop and ask "should I continue?" or "this seems like a lot of reminders, are you sure?" — interrupting tasks that should run autonomously. The repeated reminder reads as escalating user concern even when the user has said nothing. This breaks the value proposition of agentic long-horizon work.
  1. Compounding with CLAUDE.md re-injection: in repos with a CLAUDE.md, a single Read can produce two system-reminders back-to-back (malware + full CLAUDE.md contents), further amplifying the cost.
  1. Compounding with TaskCreate reminders: I observed the malware reminder followed immediately by the \"task tools haven't been used recently\" reminder in the same tool result, multiplying the noise.

Environment

  • Claude Code CLI (latest)
  • Windows 11
  • Confirmed in session logs across multiple projects

Requested fix (any of these would help)

  1. A settings.json opt-out, e.g. \"safety\": { \"readMalwareReminder\": \"off\" }.
  2. Scope the reminder to suspicious cases only — binary files, unknown extensions, files outside the user's configured project roots, or files matching common malware indicators. Don't fire on common source/config extensions inside the user's working directory.
  3. At minimum, fire it once per session rather than per Read.
  4. Even better: detect repeated Reads in a single turn and suppress duplicates.

Thanks!

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗