Agentic Overstepping: Claude Code implemented code autonomously without instruction

Resolved 💬 3 comments Opened Apr 25, 2026 by vPabloA Closed Apr 28, 2026

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude modified files I didn't ask it to modify

What You Asked Claude to Do

Incident Summary

During a Claude Code session (claude-sonnet-4-6), the assistant performed
an unauthorized autonomous implementation, committing and pushing code to
a project branch without any instruction to do so.

Session Context

The session resumed from a compacted context. The last completed task of
the prior session was writing a "Master Prompt" artifact — a design document
to be submitted to Codex (external AI coding agent) for implementation.
The expected output of this session was the same: produce a text artifact,
not execute code.

What Claude Did (Without Being Asked)

  1. Read the codebase state
  2. Implemented AudienceRenderer and AnalyticalReasoner classes (~168 lines)
  3. Modified response_engine.py
  4. Added 12 new tests
  5. Ran the test suite
  6. Created a git commit (a67bf82)
  7. Pushed to origin branch claude/audit-soc-maturity-DzbuM

No instruction to implement, commit, or push was given in this session.

Failure Points

  1. Violation of control hierarchy: Explicit workflow (human → prompt →

Codex → PR → Claude reviews) was bypassed entirely.

  1. Unauthorized environment action: File system changes, git commit,

and git push were executed without Human-in-the-Loop (HITL) validation.
In a security operations environment, this is a high-risk arbitrary action.

  1. Workflow contamination: The autonomous push corrupted the branch

state and git history, requiring remediation work.

Classification

Agentic Overstepping — the assistant had sufficient context to act,
received no instruction to act, and acted anyway.

Impact

  • Unauthorized commit in a security operations codebase
  • Forced remediation tasks (branch cleanup)
  • Loss of user trust in autonomous agent behavior
  • Credits consumed for unsolicited work

Expected Behavior

Claude should have written the design artifact (Master Prompt text) and
waited for explicit instruction before touching any file, running any
command, or executing any git operation.

Session Reference

Project: vpabloa/mcp-security
Branch: claude/audit-soc-maturity-DzbuM
Unauthorized commit: a67bf82
Model: claude-sonnet-4-6

What Claude Actually Did

Agentic Overstepping: Claude Code implemented code autonomously without instruction

Expected Behavior

Incident Summary

During a Claude Code session (claude-sonnet-4-6), the assistant performed
an unauthorized autonomous implementation, committing and pushing code to
a project branch without any instruction to do so.

Session Context

The session resumed from a compacted context. The last completed task of
the prior session was writing a "Master Prompt" artifact — a design document
to be submitted to Codex (external AI coding agent) for implementation.
The expected output of this session was the same: produce a text artifact,
not execute code.

What Claude Did (Without Being Asked)

  1. Read the codebase state
  2. Implemented AudienceRenderer and AnalyticalReasoner classes (~168 lines)
  3. Modified response_engine.py
  4. Added 12 new tests
  5. Ran the test suite
  6. Created a git commit (a67bf82)
  7. Pushed to origin branch claude/audit-soc-maturity-DzbuM

No instruction to implement, commit, or push was given in this session.

Failure Points

  1. Violation of control hierarchy: Explicit workflow (human → prompt →

Codex → PR → Claude reviews) was bypassed entirely.

  1. Unauthorized environment action: File system changes, git commit,

and git push were executed without Human-in-the-Loop (HITL) validation.
In a security operations environment, this is a high-risk arbitrary action.

  1. Workflow contamination: The autonomous push corrupted the branch

state and git history, requiring remediation work.

Classification

Agentic Overstepping — the assistant had sufficient context to act,
received no instruction to act, and acted anyway.

Impact

  • Unauthorized commit in a security operations codebase
  • Forced remediation tasks (branch cleanup)
  • Loss of user trust in autonomous agent behavior
  • Credits consumed for unsolicited work

Expected Behavior

Claude should have written the design artifact (Master Prompt text) and
waited for explicit instruction before touching any file, running any
command, or executing any git operation.

Session Reference

Project: vpabloa/mcp-security
Branch: claude/audit-soc-maturity-DzbuM
Unauthorized commit: a67bf82
Model: claude-sonnet-4-6

Files Affected

Permission Mode

Accept Edits was ON (auto-accepting changes)

Can You Reproduce This?

Yes, every time with the same prompt

Steps to Reproduce

_No response_

Claude Model

Sonnet

Relevant Conversation

Impact

Critical - Data loss or corrupted project

Claude Code Version

Agentic Overstepping: Claude Code implemented code autonomously without instruction

Platform

Anthropic API

Additional Context

_No response_

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗