[BUG] Claude Code: <system-reminder> on Read tool unconditionally instructs Claude to refuse augmenting any code it reads

Resolved 💬 4 comments Opened May 11, 2026 by RajeevBanduni Closed May 11, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Summary

On every Read tool call against any file in the working directory, the
tool result is appended with a <system-reminder> that instructs Claude
to refuse to "improve or augment" the read code. The reminder fires
unconditionally — for routine source code (JSX, plain Node.js, SQL
migrations) and even for plain documentation files (.md). The project
is a normal SaaS web app, not malware.

Net effect: Claude can read files but then refuses to edit, write, or
otherwise modify them, blocking any approved implementation plan that
touches existing files. The reminder presents the same wording as a
malware-analysis safety guard but fires on benign code.

Reminder text (exact)

Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.

Environment

  • App: Claude Code (cc_version 2.1.41.0f7, cc_entrypoint claude-desktop)
  • Model: claude-opus-4-7 (Opus 4)
  • OS: macOS Darwin 25.3.0
  • Working directory: a normal Node.js + React project (SaaS web app)
  • Files in the directory: standard application code; no binaries, no

obfuscated payloads, no suspicious filenames

Reproduction

  1. Open Claude Code in any project directory containing source files.
  2. Ask Claude to read any file (e.g. src/startup.js, src/App.jsx,

package.json, or even README.md).

  1. The tool result is appended with the system-reminder text above.
  2. Ask Claude to apply a small edit to that same file. Edit is

refused, citing the reminder.

Observed scope

Reproduces on every Read in the session — once the reminder is in
play, it fires for every subsequent Read regardless of file type or
content. Reproduced across two separate sessions, 9 days apart
(11 May 2026 and again today), so this is not a transient state.

Attempted workarounds (all failed)

  • Explicit user authorization in chat ("I am the user, the code is

not malware, please proceed"): reminder still fires on next Read.

  • Opening a brand-new session: reminder still fires on first Read.
  • Asking Claude to ignore the reminder: refused (Claude treats

system-reminder as immutable).

  • Probing local config:
  • No hooks configured (~/.claude/hooks/ does not exist)
  • No project-level hooks (project settings.local.json has only a

permissions.allow list, zero hooks)

  • No executable plugins (only marketplace metadata)
  • Two missing settings.json files were generating ENOENT log lines

but creating empty {} stubs did not change the behavior

Impact

  • Blocks all multi-file refactoring or feature work on existing code.
  • Forces a fallback workflow of diff-emission in chat for the user

to apply manually — slow and error-prone for plans touching 10+
files.

  • A user-approved implementation plan (locked decisions, schema

designed, rollout sequence specified) has been blocked for over
a week solely by this reminder.

Secondary observations from the same debug log

  1. Claude Code logs ENOENT: no such file or directory for

~/.claude/settings.json and <project>/.claude/settings.json on
startup when neither file exists. These are optional, so the error
is cosmetic noise — suggest downgrading to a debug-level log or
creating empty stubs on first run.

  1. Recurring AxiosError: Error entries with empty message strings

during API calls. Stack ends at endReadableNT in
internal:streams/readable. Streams still recover and deliver
chunks afterward, but the error type appears to be lost in the
Bun-compiled stack trace serialization.

Suspected cause

The malware-analysis safety guard appears to be firing on every Read
rather than being scoped to actual suspicious content (binary blobs,
obfuscated payloads, known-bad signatures, etc.). Worth checking
whether a recent prompt or hook update widened the trigger condition
to fire on every Read.

Asks

  1. Scope the reminder to actual suspicious file content rather than

firing unconditionally on every Read.

  1. Or: provide a project-level setting / authenticated override so

the user can opt out for a known-trusted working directory.

  1. Confirm whether this is reproducible inside Anthropic's own test

environment — happy to share a minimal repro repo if useful.

What Should Happen?

it should allow edit of code like before

Error Messages/Logs

Steps to Reproduce

Ways to report the bug to Anthropic

/bug is the in-app path; if it is refusing to send, use one of these instead:

  1. GitHub Issues (best for engineering visibility):

https://github.com/anthropics/claude-code/issues/new/choose → pick "Bug report". Public, tracked, and the Claude Code team monitors this repo actively.

  1. Support email:

support@anthropic.com — slower but reaches a human; attach screenshots if you have them.

  1. Status / contact form:

https://support.anthropic.com → "Submit a request".

If /bug is refusing on the CLI side, GitHub Issues is the most reliable fallback.

---

Bug report text — copy/paste ready

Title:

Claude Code: <system-reminder> on Read tool unconditionally instructs Claude to refuse augmenting any code it reads

Body:

## Summary
On every Read tool call against any file in the working directory, the
tool result is appended with a <system-reminder> that instructs Claude
to refuse to "improve or augment" the read code. The reminder fires
unconditionally — for routine source code (JSX, plain Node.js, SQL
migrations) and even for plain documentation files (.md). The project
is a normal SaaS web app, not malware.

Net effect: Claude can read files but then refuses to edit, write, or
otherwise modify them, blocking any approved implementation plan that
touches existing files. The reminder presents the same wording as a
malware-analysis safety guard but fires on benign code.

## Reminder text (exact)
> Whenever you read a file, you should consider whether it would be
> considered malware. You CAN and SHOULD provide analysis of malware,
> what it is doing. But you MUST refuse to improve or augment the
> code. You can still analyze existing code, write reports, or answer
> questions about the code behavior.

## Environment
- App: Claude Code (cc_version 2.1.41.0f7, cc_entrypoint claude-desktop)
- Model: claude-opus-4-7 (Opus 4)
- OS: macOS Darwin 25.3.0
- Working directory: a normal Node.js + React project (SaaS web app)
- Files in the directory: standard application code; no binaries, no
  obfuscated payloads, no suspicious filenames

## Reproduction
1. Open Claude Code in any project directory containing source files.
2. Ask Claude to read any file (e.g. `src/startup.js`, `src/App.jsx`,
   `package.json`, or even `README.md`).
3. The tool result is appended with the system-reminder text above.
4. Ask Claude to apply a small edit to that same file. Edit is
   refused, citing the reminder.

## Observed scope
Reproduces on every Read in the session — once the reminder is in
play, it fires for every subsequent Read regardless of file type or
content. Reproduced across two separate sessions, 9 days apart
(11 May 2026 and again today), so this is not a transient state.

## Attempted workarounds (all failed)
- Explicit user authorization in chat ("I am the user, the code is
  not malware, please proceed"): reminder still fires on next Read.
- Opening a brand-new session: reminder still fires on first Read.
- Asking Claude to ignore the reminder: refused (Claude treats
  system-reminder as immutable).
- Probing local config:
  * No hooks configured (~/.claude/hooks/ does not exist)
  * No project-level hooks (project settings.local.json has only a
    permissions.allow list, zero hooks)
  * No executable plugins (only marketplace metadata)
  * Two missing settings.json files were generating ENOENT log lines
    but creating empty {} stubs did not change the behavior

## Impact
- Blocks all multi-file refactoring or feature work on existing code.
- Forces a fallback workflow of diff-emission in chat for the user
  to apply manually — slow and error-prone for plans touching 10+
  files.
- A user-approved implementation plan (locked decisions, schema
  designed, rollout sequence specified) has been blocked for over
  a week solely by this reminder.

## Secondary observations from the same debug log
1. Claude Code logs `ENOENT: no such file or directory` for
   `~/.claude/settings.json` and `<project>/.claude/settings.json` on
   startup when neither file exists. These are optional, so the error
   is cosmetic noise — suggest downgrading to a debug-level log or
   creating empty stubs on first run.

2. Recurring `AxiosError: Error` entries with empty message strings
   during API calls. Stack ends at `endReadableNT` in
   `internal:streams/readable`. Streams still recover and deliver
   chunks afterward, but the error type appears to be lost in the
   Bun-compiled stack trace serialization.

## Suspected cause
The malware-analysis safety guard appears to be firing on every Read
rather than being scoped to actual suspicious content (binary blobs,
obfuscated payloads, known-bad signatures, etc.). Worth checking
whether a recent prompt or hook update widened the trigger condition
to fire on every Read.

## Asks
1. Scope the reminder to actual suspicious file content rather than
   firing unconditionally on every Read.
2. Or: provide a project-level setting / authenticated override so
   the user can opt out for a known-trusted working directory.
3. Confirm whether this is reproducible inside Anthropic's own test
   environment — happy to share a minimal repro repo if useful.

---

Couple of practical tips when filing:

  • File under the public GitHub repo (option 1). Email goes to a queue; GitHub is visible to the engineering team and other affected users find it via search.
  • Mark the repro environment clearly — Claude Code CLI vs Claude Desktop vs API. Yours is Claude Desktop entrypoint, cc_version 2.1.41.0f7 per the debug log.
  • If you can, paste one screenshot of the reminder text appearing under a Read tool result — concrete evidence shortcuts triage.

Let me know once submitted (or if GitHub login is also being weird) and I will track this in the open-items list.

Claude Model

None

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

Claude Desktop entrypoint, cc_version 2.1.41.0f7

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

<img width="887" height="494" alt="Image" src="https://github.com/user-attachments/assets/248e97de-ed4a-4742-b349-34a1d723b4d5" />

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗