[MODEL] /audit in Anthropic Tutorial custom command lacks guardrails for breaking changes — causes excessive token usage
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude modified files I didn't ask it to modify
What You Asked Claude to Do
Body:
Following tutorial 303239 (Claude Code in Action), the /audit command triggered npm audit which flagged
vulnerabilities requiring breaking dependency upgrades. Claude escalated into researching package
compatibility, reading source files, and investigating migration paths instead of staying within the 3-step
script. Result: ~4500 tokens used on a tutorial step that should take ~200.
Fix: Add one line to the command prompt: "Do not investigate or attempt to fix breaking changes. Report
remaining vulnerabilities and move on."
What Claude Actually Did
▎ - Ignored the 3-step script, investigated breaking dependency upgrades across multiple packages, read source
▎ files, checked npm registry for compatible versions, attempted a major AI SDK version upgrade, and fetched
▎ an external URL — all unsolicited.
Expected Behavior
Run npm audit, run npm audit fix, run tests, report output. Done
Files Affected
Permission Mode
Accept Edits was ON (auto-accepting changes)
Can You Reproduce This?
Haven't tried to reproduce
Steps to Reproduce
- Follow tutorial 303239 on https://anthropic.skilljar.com/claude-code-in-action/303239
Custom Commands step in tutorial
▎ 2. Open the tutorial project with npm dependencies
▎ 3. Enable auto-accept edits
▎ 4. Run /audit as instructed
▎ 5. Observe Claude escalate beyond the 3-step script when npm audit flags vulnerabilities requiring breaking
▎ dependency upgrades
Claude Model
Sonnet
Relevant Conversation
https://claude.ai/code — conversation not shareable, but the issue is reproducible on any project where npm audit returns breaking changes. The /audit demo made claude go down an npm rabbit hole. Not my command or tutorial. It wasted 5 mins and 4500 tokens
Add to the /audit command prompt: "Do not investigate or attempt to fix breaking changes.
▎ Report remaining vulnerabilities and move on."
Impact
High - Significant unwanted changes
Claude Code Version
claude-sonnet-4-6
Platform
Anthropic API
Additional Context
Add to the /audit command prompt: "Do not investigate or attempt to fix breaking changes.
▎ Report remaining vulnerabilities and move on."
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗