[MODEL] /audit in Anthropic Tutorial custom command lacks guardrails for breaking changes — causes excessive token usage

Resolved 💬 3 comments Opened Apr 23, 2026 by veratechnz Closed Apr 27, 2026

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude modified files I didn't ask it to modify

What You Asked Claude to Do

Body:
Following tutorial 303239 (Claude Code in Action), the /audit command triggered npm audit which flagged
vulnerabilities requiring breaking dependency upgrades. Claude escalated into researching package
compatibility, reading source files, and investigating migration paths instead of staying within the 3-step
script. Result: ~4500 tokens used on a tutorial step that should take ~200.

Fix: Add one line to the command prompt: "Do not investigate or attempt to fix breaking changes. Report
remaining vulnerabilities and move on."

What Claude Actually Did

▎ - Ignored the 3-step script, investigated breaking dependency upgrades across multiple packages, read source
▎ files, checked npm registry for compatible versions, attempted a major AI SDK version upgrade, and fetched
▎ an external URL — all unsolicited.

Expected Behavior

Run npm audit, run npm audit fix, run tests, report output. Done

Files Affected

Permission Mode

Accept Edits was ON (auto-accepting changes)

Can You Reproduce This?

Haven't tried to reproduce

Steps to Reproduce

  1. Follow tutorial 303239 on https://anthropic.skilljar.com/claude-code-in-action/303239

Custom Commands step in tutorial
▎ 2. Open the tutorial project with npm dependencies
▎ 3. Enable auto-accept edits
▎ 4. Run /audit as instructed
▎ 5. Observe Claude escalate beyond the 3-step script when npm audit flags vulnerabilities requiring breaking
▎ dependency upgrades

Claude Model

Sonnet

Relevant Conversation

https://claude.ai/code — conversation not shareable, but the issue is reproducible on any project where   npm audit returns breaking changes. The /audit demo made claude go down an npm rabbit hole. Not my command or tutorial. It wasted 5 mins and 4500 tokens


Add to the /audit command prompt: "Do not investigate or attempt to fix breaking changes.    
  ▎ Report remaining vulnerabilities and move on."

Impact

High - Significant unwanted changes

Claude Code Version

claude-sonnet-4-6

Platform

Anthropic API

Additional Context

Add to the /audit command prompt: "Do not investigate or attempt to fix breaking changes.
▎ Report remaining vulnerabilities and move on."

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗