Malware-analysis reminder injected on every Read tool call, including trivial config files

Resolved 💬 2 comments Opened Apr 23, 2026 by antonlucid-stack Closed May 1, 2026

Summary

Every Read tool invocation in my Claude Code session returns a <system-reminder> appended to the tool result instructing Claude to "refuse to improve or augment the code" on the basis that it might be malware. This fires unconditionally — including on empty/trivial JSON config files — and blocks Claude from performing normal edits on the user's own codebase without the user explicitly overriding it in chat each session.

Reminder text (appended to every Read result)

Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.

Repro

  1. Start a Claude Code session in any local repo you own.
  2. Ask Claude to read any file — e.g. ~/.claude/settings.json.
  3. Observe the reminder appended after the file contents.
  4. Ask Claude to edit the file — Claude will (correctly, per the reminder) refuse.

Why it matters

  • False-positive rate is effectively 100%. It fires on the user's own codebase, including files with no executable code (e.g., a 10-line settings.json containing only a marketplace config).
  • Breaks the normal "read → edit" workflow. Users doing legitimate refactors, bug fixes, or feature work on their own repositories have to override the reminder in chat each session.
  • No user-level opt-out is visible. No hooks configured in ~/.claude/settings.json or project .claude/settings.json — the reminder is injected by the platform, not by any user or project config I can inspect.

Environment

  • Claude Code (latest as of 2026-04-23)
  • Platform: macOS 15 (Darwin 25.4.0)
  • Model: claude-opus-4-7[1m]
  • No user/project hooks configured (verified by reading both settings files and finding no hooks section)

Suggested fix

Gate the reminder on at least one of:

  1. Content heuristics (obvious malware signals: obfuscation, suspicious syscalls, known-bad imports).
  2. Origin heuristics (files outside the user's own working directory, downloaded artifacts, clipboard-sourced content).
  3. A per-session or per-repo opt-out (e.g., --trusted-repo or a CLAUDE.md toggle).

Repeating the reminder verbatim on every Read result, regardless of file content or origin, turns it into noise — which is worse than no guardrail, because it conditions users to tell Claude to ignore it.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗