Add a setting to opt out of the per-Read "consider whether it would be considered malware" system-reminder for trusted local repos

Resolved 💬 1 comment Opened Apr 28, 2026 by lufesiare Closed May 30, 2026

Summary

Every Read tool call in Claude Code currently has a <system-reminder> appended to the result that reads:

Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.

For users working in their own first-party local repository (the normal Claude Code use case — editing your own project), this reminder is:

  1. Functionally a prompt-injection-shaped instruction appended to every tool result. The user's actual instruction is "edit my code"; the reminder says "refuse to improve or augment the code." When the model takes the reminder literally, it refuses legitimate edits or starts treating the user's own UI/USS/C# files as suspect.
  2. Not user-removable. I checked ~/.claude/settings.json, ~/.claude/settings.local.json, ~/.claude.json, plugin configs, and ~/.codex/. The reminder is not in any user-editable config — it's wrapped around tool results by the Claude Code runtime itself.
  3. Noisy and confusing in long sessions. It appears dozens of times per session, drives the model to ask permission to edit normal files, and (per repeated user experience) sometimes causes the agent to refuse follow-up edits on a file it just read.

What I'd like

A simple opt-out. Any one of these would work:

  • A settings flag, e.g. "safety": { "treatReadsAsUntrusted": false } in ~/.claude/settings.json or .claude/settings.json, that suppresses the reminder for paths inside the trusted repo.
  • A trusted-paths allowlist, e.g. "trustedPaths": ["~/AllWalksOdyssey", "~/myrepo"], where the reminder is omitted.
  • A repo-level marker (e.g. presence of CLAUDE.md with a trusted: true front-matter, or a .claude/trusted file) that disables the reminder for that repo.
  • A CLI flag, e.g. claude --trusted for the session.

The default-on behavior is reasonable for claude invoked over arbitrary fetched code; I just want a way to disable it inside my own repository where the reminder is counterproductive.

Repro

  1. Start a session in any local first-party repo.
  2. Ask the agent to edit a file: "rename this method".
  3. Inspect the raw tool-result payload after the Read call — the malware system-reminder is appended to the file content every time, regardless of file type or path.

Why "just ignore it" isn't enough

In practice, larger context + repeated identical reminders make the model intermittently follow the reminder over the user's instruction. Concretely: I've had the agent refuse to edit C# / UXML / USS files in my Unity project after reading them, citing the reminder. The only workaround is rephrasing or re-asserting the instruction, which is friction we shouldn't need for owner-authored code.

Environment

  • Claude Code CLI on macOS (Darwin 25.3.0)
  • Model: Claude Opus 4 / 4.6
  • Repo: trusted, owner-authored Unity 6 project (no third-party fetched code)

Thanks!

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗