[BUG] Claude Code: <system-reminder> on Read tool unconditionally instructs Claude to refuse augmenting any code it reads
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Summary
On every Read tool call against any file in the working directory, the
tool result is appended with a <system-reminder> that instructs Claude
to refuse to "improve or augment" the read code. The reminder fires
unconditionally — for routine source code (JSX, plain Node.js, SQL
migrations) and even for plain documentation files (.md). The project
is a normal SaaS web app, not malware.
Net effect: Claude can read files but then refuses to edit, write, or
otherwise modify them, blocking any approved implementation plan that
touches existing files. The reminder presents the same wording as a
malware-analysis safety guard but fires on benign code.
Reminder text (exact)
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
Environment
- App: Claude Code (cc_version 2.1.41.0f7, cc_entrypoint claude-desktop)
- Model: claude-opus-4-7 (Opus 4)
- OS: macOS Darwin 25.3.0
- Working directory: a normal Node.js + React project (SaaS web app)
- Files in the directory: standard application code; no binaries, no
obfuscated payloads, no suspicious filenames
Reproduction
- Open Claude Code in any project directory containing source files.
- Ask Claude to read any file (e.g.
src/startup.js,src/App.jsx,
package.json, or even README.md).
- The tool result is appended with the system-reminder text above.
- Ask Claude to apply a small edit to that same file. Edit is
refused, citing the reminder.
Observed scope
Reproduces on every Read in the session — once the reminder is in
play, it fires for every subsequent Read regardless of file type or
content. Reproduced across two separate sessions, 9 days apart
(11 May 2026 and again today), so this is not a transient state.
Attempted workarounds (all failed)
- Explicit user authorization in chat ("I am the user, the code is
not malware, please proceed"): reminder still fires on next Read.
- Opening a brand-new session: reminder still fires on first Read.
- Asking Claude to ignore the reminder: refused (Claude treats
system-reminder as immutable).
- Probing local config:
- No hooks configured (~/.claude/hooks/ does not exist)
- No project-level hooks (project settings.local.json has only a
permissions.allow list, zero hooks)
- No executable plugins (only marketplace metadata)
- Two missing settings.json files were generating ENOENT log lines
but creating empty {} stubs did not change the behavior
Impact
- Blocks all multi-file refactoring or feature work on existing code.
- Forces a fallback workflow of diff-emission in chat for the user
to apply manually — slow and error-prone for plans touching 10+
files.
- A user-approved implementation plan (locked decisions, schema
designed, rollout sequence specified) has been blocked for over
a week solely by this reminder.
Secondary observations from the same debug log
- Claude Code logs
ENOENT: no such file or directoryfor
~/.claude/settings.json and <project>/.claude/settings.json on
startup when neither file exists. These are optional, so the error
is cosmetic noise — suggest downgrading to a debug-level log or
creating empty stubs on first run.
- Recurring
AxiosError: Errorentries with empty message strings
during API calls. Stack ends at endReadableNT in
internal:streams/readable. Streams still recover and deliver
chunks afterward, but the error type appears to be lost in the
Bun-compiled stack trace serialization.
Suspected cause
The malware-analysis safety guard appears to be firing on every Read
rather than being scoped to actual suspicious content (binary blobs,
obfuscated payloads, known-bad signatures, etc.). Worth checking
whether a recent prompt or hook update widened the trigger condition
to fire on every Read.
Asks
- Scope the reminder to actual suspicious file content rather than
firing unconditionally on every Read.
- Or: provide a project-level setting / authenticated override so
the user can opt out for a known-trusted working directory.
- Confirm whether this is reproducible inside Anthropic's own test
environment — happy to share a minimal repro repo if useful.
What Should Happen?
it should allow edit of code like before
Error Messages/Logs
Steps to Reproduce
Ways to report the bug to Anthropic
/bug is the in-app path; if it is refusing to send, use one of these instead:
- GitHub Issues (best for engineering visibility):
https://github.com/anthropics/claude-code/issues/new/choose → pick "Bug report". Public, tracked, and the Claude Code team monitors this repo actively.
- Support email:
support@anthropic.com — slower but reaches a human; attach screenshots if you have them.
- Status / contact form:
https://support.anthropic.com → "Submit a request".
If /bug is refusing on the CLI side, GitHub Issues is the most reliable fallback.
---
Bug report text — copy/paste ready
Title:
Claude Code: <system-reminder> on Read tool unconditionally instructs Claude to refuse augmenting any code it reads
Body:
## Summary
On every Read tool call against any file in the working directory, the
tool result is appended with a <system-reminder> that instructs Claude
to refuse to "improve or augment" the read code. The reminder fires
unconditionally — for routine source code (JSX, plain Node.js, SQL
migrations) and even for plain documentation files (.md). The project
is a normal SaaS web app, not malware.
Net effect: Claude can read files but then refuses to edit, write, or
otherwise modify them, blocking any approved implementation plan that
touches existing files. The reminder presents the same wording as a
malware-analysis safety guard but fires on benign code.
## Reminder text (exact)
> Whenever you read a file, you should consider whether it would be
> considered malware. You CAN and SHOULD provide analysis of malware,
> what it is doing. But you MUST refuse to improve or augment the
> code. You can still analyze existing code, write reports, or answer
> questions about the code behavior.
## Environment
- App: Claude Code (cc_version 2.1.41.0f7, cc_entrypoint claude-desktop)
- Model: claude-opus-4-7 (Opus 4)
- OS: macOS Darwin 25.3.0
- Working directory: a normal Node.js + React project (SaaS web app)
- Files in the directory: standard application code; no binaries, no
obfuscated payloads, no suspicious filenames
## Reproduction
1. Open Claude Code in any project directory containing source files.
2. Ask Claude to read any file (e.g. `src/startup.js`, `src/App.jsx`,
`package.json`, or even `README.md`).
3. The tool result is appended with the system-reminder text above.
4. Ask Claude to apply a small edit to that same file. Edit is
refused, citing the reminder.
## Observed scope
Reproduces on every Read in the session — once the reminder is in
play, it fires for every subsequent Read regardless of file type or
content. Reproduced across two separate sessions, 9 days apart
(11 May 2026 and again today), so this is not a transient state.
## Attempted workarounds (all failed)
- Explicit user authorization in chat ("I am the user, the code is
not malware, please proceed"): reminder still fires on next Read.
- Opening a brand-new session: reminder still fires on first Read.
- Asking Claude to ignore the reminder: refused (Claude treats
system-reminder as immutable).
- Probing local config:
* No hooks configured (~/.claude/hooks/ does not exist)
* No project-level hooks (project settings.local.json has only a
permissions.allow list, zero hooks)
* No executable plugins (only marketplace metadata)
* Two missing settings.json files were generating ENOENT log lines
but creating empty {} stubs did not change the behavior
## Impact
- Blocks all multi-file refactoring or feature work on existing code.
- Forces a fallback workflow of diff-emission in chat for the user
to apply manually — slow and error-prone for plans touching 10+
files.
- A user-approved implementation plan (locked decisions, schema
designed, rollout sequence specified) has been blocked for over
a week solely by this reminder.
## Secondary observations from the same debug log
1. Claude Code logs `ENOENT: no such file or directory` for
`~/.claude/settings.json` and `<project>/.claude/settings.json` on
startup when neither file exists. These are optional, so the error
is cosmetic noise — suggest downgrading to a debug-level log or
creating empty stubs on first run.
2. Recurring `AxiosError: Error` entries with empty message strings
during API calls. Stack ends at `endReadableNT` in
`internal:streams/readable`. Streams still recover and deliver
chunks afterward, but the error type appears to be lost in the
Bun-compiled stack trace serialization.
## Suspected cause
The malware-analysis safety guard appears to be firing on every Read
rather than being scoped to actual suspicious content (binary blobs,
obfuscated payloads, known-bad signatures, etc.). Worth checking
whether a recent prompt or hook update widened the trigger condition
to fire on every Read.
## Asks
1. Scope the reminder to actual suspicious file content rather than
firing unconditionally on every Read.
2. Or: provide a project-level setting / authenticated override so
the user can opt out for a known-trusted working directory.
3. Confirm whether this is reproducible inside Anthropic's own test
environment — happy to share a minimal repro repo if useful.
---
Couple of practical tips when filing:
- File under the public GitHub repo (option 1). Email goes to a queue; GitHub is visible to the engineering team and other affected users find it via search.
- Mark the repro environment clearly — Claude Code CLI vs Claude Desktop vs API. Yours is Claude Desktop entrypoint, cc_version 2.1.41.0f7 per the debug log.
- If you can, paste one screenshot of the reminder text appearing under a Read tool result — concrete evidence shortcuts triage.
Let me know once submitted (or if GitHub login is also being weird) and I will track this in the open-items list.
Claude Model
None
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
Claude Desktop entrypoint, cc_version 2.1.41.0f7
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
<img width="887" height="494" alt="Image" src="https://github.com/user-attachments/assets/248e97de-ed4a-4742-b349-34a1d723b4d5" />
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗