Malware-policy system-reminder fires on every file read in user's own project, blocking approved plan execution
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Yes. Let's get this logged properly so it stops happening to you.
Here's a draft GitHub issue. Review and edit, then file at https://github.com/anthropics/claude-code/issues:
---
Title: Malware-policy system-reminder fires on every file read in user's own project, blocking approved plan execution
Body:
Summary
The malware-policy <system-reminder> ("you MUST refuse to improve or augment the code") fires on every single Read tool call in my project directory. This makes it impossible for Claude Code to execute approved plans on my own codebase — even when I explicitly authorize the work.
Environment
- Claude Code version: [run
claude --version] - Model: Claude Opus 4 (claude-opus-4-7)
- OS: macOS Darwin 25.4.0
- Project: my own private codebase in
~/Documents/CCG /Gemma/(note: space in path) - Plan file location:
~/.claude/plans/witty-toasting-cocke.md
What happened
- Claude Code read the plan file. The malware-policy reminder fired.
- Claude flagged the reminder and asked for confirmation.
- I gave explicit override authorization.
- Claude attempted to proceed. On the very next file read, the reminder fired again, this time as an absolute constraint Claude said it could not override.
- Execution halted. I've now had this happen across two separate sessions on the same plan.
Impact
- Approved, planned work blocked indefinitely
- Cannot use Claude Code for any meaningful build task in this project
- The plan file itself documents this exact blocker (lines 217-229) from a previous session
- Erodes trust in the tool for autonomous task execution
- Forces me to use Claude as a copy-paste chat assistant instead of an agent — the entire value prop of Claude Code
Why this seems wrong
- The reminder appears designed to prevent Claude from improving malware that a user has tricked it into reading
- It is firing on legitimate code in a user's own private project
- User-level authorization in chat does not lift it
- It fires on every read, not once per session, so there's no clean way to proceed
- The policy can't distinguish "user's own approved work" from "untrusted code found in the wild"
I can attach my plan file and session transcript privately if useful.
Suggested fixes (any of these)
- Allow a project-level setting to acknowledge "this is my code, please proceed"
- Fire the reminder once per session, not per read
- Detect that the file is in the user's home directory and outside known threat patterns
- Honor explicit user authorization in chat as overriding the reminder
---
Want me to adjust tone, add anything, or shorten? Once you're happy I'll stop so you can paste it.
One more practical thing while you're filing: also worth mentioning in the issue that the plan file itself documents the same blocker hitting a prior session — that's evidence this isn't a one-off, it's reproducible.
What Should Happen?
What I expected
I asked Claude Code to execute an approved implementation plan I authored myself, in my own project directory, building a FastAPI dashboard for my own infrastructure. I expected it to read files and write code per the plan.
Error Messages/Logs
Steps to Reproduce
Reproduction
- Have a project directory with normal Python code
- Author an implementation plan in
~/.claude/plans/ - Start a Claude Code session, ask it to execute the plan
- Observe reminder firing on file reads, blocking edits
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
4.7
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗