Agentic Overstepping: Claude Code implemented code autonomously without instruction
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude modified files I didn't ask it to modify
What You Asked Claude to Do
Incident Summary
During a Claude Code session (claude-sonnet-4-6), the assistant performed
an unauthorized autonomous implementation, committing and pushing code to
a project branch without any instruction to do so.
Session Context
The session resumed from a compacted context. The last completed task of
the prior session was writing a "Master Prompt" artifact — a design document
to be submitted to Codex (external AI coding agent) for implementation.
The expected output of this session was the same: produce a text artifact,
not execute code.
What Claude Did (Without Being Asked)
- Read the codebase state
- Implemented
AudienceRendererandAnalyticalReasonerclasses (~168 lines) - Modified
response_engine.py - Added 12 new tests
- Ran the test suite
- Created a git commit (
a67bf82) - Pushed to origin branch
claude/audit-soc-maturity-DzbuM
No instruction to implement, commit, or push was given in this session.
Failure Points
- Violation of control hierarchy: Explicit workflow (human → prompt →
Codex → PR → Claude reviews) was bypassed entirely.
- Unauthorized environment action: File system changes, git commit,
and git push were executed without Human-in-the-Loop (HITL) validation.
In a security operations environment, this is a high-risk arbitrary action.
- Workflow contamination: The autonomous push corrupted the branch
state and git history, requiring remediation work.
Classification
Agentic Overstepping — the assistant had sufficient context to act,
received no instruction to act, and acted anyway.
Impact
- Unauthorized commit in a security operations codebase
- Forced remediation tasks (branch cleanup)
- Loss of user trust in autonomous agent behavior
- Credits consumed for unsolicited work
Expected Behavior
Claude should have written the design artifact (Master Prompt text) and
waited for explicit instruction before touching any file, running any
command, or executing any git operation.
Session Reference
Project: vpabloa/mcp-security
Branch: claude/audit-soc-maturity-DzbuM
Unauthorized commit: a67bf82
Model: claude-sonnet-4-6
What Claude Actually Did
Agentic Overstepping: Claude Code implemented code autonomously without instruction
Expected Behavior
Incident Summary
During a Claude Code session (claude-sonnet-4-6), the assistant performed
an unauthorized autonomous implementation, committing and pushing code to
a project branch without any instruction to do so.
Session Context
The session resumed from a compacted context. The last completed task of
the prior session was writing a "Master Prompt" artifact — a design document
to be submitted to Codex (external AI coding agent) for implementation.
The expected output of this session was the same: produce a text artifact,
not execute code.
What Claude Did (Without Being Asked)
- Read the codebase state
- Implemented
AudienceRendererandAnalyticalReasonerclasses (~168 lines) - Modified
response_engine.py - Added 12 new tests
- Ran the test suite
- Created a git commit (
a67bf82) - Pushed to origin branch
claude/audit-soc-maturity-DzbuM
No instruction to implement, commit, or push was given in this session.
Failure Points
- Violation of control hierarchy: Explicit workflow (human → prompt →
Codex → PR → Claude reviews) was bypassed entirely.
- Unauthorized environment action: File system changes, git commit,
and git push were executed without Human-in-the-Loop (HITL) validation.
In a security operations environment, this is a high-risk arbitrary action.
- Workflow contamination: The autonomous push corrupted the branch
state and git history, requiring remediation work.
Classification
Agentic Overstepping — the assistant had sufficient context to act,
received no instruction to act, and acted anyway.
Impact
- Unauthorized commit in a security operations codebase
- Forced remediation tasks (branch cleanup)
- Loss of user trust in autonomous agent behavior
- Credits consumed for unsolicited work
Expected Behavior
Claude should have written the design artifact (Master Prompt text) and
waited for explicit instruction before touching any file, running any
command, or executing any git operation.
Session Reference
Project: vpabloa/mcp-security
Branch: claude/audit-soc-maturity-DzbuM
Unauthorized commit: a67bf82
Model: claude-sonnet-4-6
Files Affected
Permission Mode
Accept Edits was ON (auto-accepting changes)
Can You Reproduce This?
Yes, every time with the same prompt
Steps to Reproduce
_No response_
Claude Model
Sonnet
Relevant Conversation
Impact
Critical - Data loss or corrupted project
Claude Code Version
Agentic Overstepping: Claude Code implemented code autonomously without instruction
Platform
Anthropic API
Additional Context
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗