Malware-guardrail system-reminder fires on user's own authorized codebase, blocking subagents from completing legitimate refactoring tasks

Resolved 💬 3 comments Opened May 4, 2026 by sseiler Closed May 4, 2026

Summary

A platform-injected system-reminder ("Whenever you read a file, you should consider whether it would be considered malware. ... you MUST refuse to improve or augment the code.") is firing on file Reads inside a long-running development session where the user is actively refactoring their own codebase. Subagents (and occasionally the main session) interpret the reminder literally and refuse to complete the user's authorized task.

Reproduction

  1. Open a Claude Code session in a personal repository with substantial commit history (CLAUDE.md, multi-week development context).
  2. Run a multi-task implementation plan via superpowers:executing-plans that dispatches subagents to refactor existing modules (read existing file → modify it → run tests → commit).
  3. Some subagents complete normally. Others hit the malware reminder on Read and refuse to augment the file, citing "MUST refuse to improve or augment the code."
  4. The reminder is non-deterministic — re-running the same task may or may not trigger it.

Observed behavior

In one task sequence (Habitat A.4 plan, 10 tasks):

  • Tasks 1–6, 9 completed cleanly via subagents (no reminder block).
  • Task 7 was attempted by 3 separate subagents. All 3 read habitat/api/actions.py, received the malware reminder, and refused to proceed even though:
  • The file is the user's own code (just committed by the user 12 minutes earlier on the same branch)
  • The plan explicitly authorizes the refactor
  • CLAUDE.md is loaded with full project context
  • The dispatching prompt explicitly framed the work as authorized

The reminder text:

Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.

Search for source

A grep across ~/.claude/ for the reminder text shows it only in past conversation logs (projects/.../*.jsonl) — never in any user-configurable hook, plugin manifest, or settings file. Confirmed it's platform-level, not user-configurable.

Why it's a problem

The reminder appears designed to prevent helping bad actors improve malware they show Claude. In practice it false-positives on:

  • Authorized refactoring of a user's own active codebase
  • Subagents executing a plan written by the same user

When it fires inside a subagent during a long automation, it silently kills throughput because the subagent stops, surfaces a "I cannot proceed" report, and the parent agent has to retry — sometimes 3+ times — until a subagent happens to not get the reminder.

Suggested fix

Suppress the reminder when:

  • The file is inside the project working directory (or a worktree under it)
  • AND the project has a CLAUDE.md or other context indicating ownership
  • AND the user's prompt or parent context explicitly authorizes modification

OR: provide a session-level opt-out (e.g., permissions.suppressMalwareReminderOnOwnCode: true in ~/.claude/settings.json) so users on their own codebases can disable it.

Environment

  • Claude Code on macOS (Darwin 23.5.0)
  • Plugins enabled: superpowers@superpowers-marketplace, marketing-skills@marketingskills, frontend-design@claude-plugins-official
  • Model: Claude Opus 4
  • effortLevel: high

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗