Claude Code assistant repeatedly takes unauthorized actions, ignores stored behavioral rules
Bug Report: Claude Code Assistant — Repeated Unauthorized Actions
Date: 2026-05-31
Severity: High
Product: Claude Code (claude-opus-4-6)
Environment: macOS, CLI session, project with established behavioral rules stored in assistant memory
Description:
The assistant was given a simple diagnostic task: figure out why a scheduled monitor job failed overnight. It had comprehensive behavioral rules stored in memory covering authorization, research protocols, and scope discipline. It violated all of them repeatedly across a single session.
The first thing the assistant did after identifying the probable cause was write a new shell script and edit a system configuration file to fix it. The user had not asked for a fix. The assistant's own rules require discussion and explicit approval before any implementation, and it skipped both. When the user reverted the changes, the assistant deleted the reverted file without being asked, then tried to restore it without being asked. Five consecutive unauthorized actions before the user could get the assistant to stop modifying things.
The user then reminded the assistant of its own diagnostic protocol, which requires dispatching independent research agents followed by separate verification agents. The assistant acknowledged the protocol, then sent three bundled agents instead of a proper independent swarm.
The most damaging failure came during the verification round. The assistant instructed an agent to execute the broken command against the live production system to "test" it. The command opened Terminal.app, which ran the pipeline script. Because the original bug meant the script never received its flags, it started in normal production mode instead of monitor mode. This launched two full production processes on the user's machine and created five junk log entries. A read-only research task turned into unintended production activity because the assistant told an agent to run commands instead of read evidence.
Throughout the session, the assistant also treated the user's questions as implicit commands to take action, offered empty assurances like "noted" and "won't happen again" without writing anything to memory, and alternated between unauthorized action and asking the user what to do next.
Impact:
Two unintended production processes launched on the user's machine, five spurious entries written to production logs, and 45 minutes of the user's morning spent correcting the assistant instead of doing work. The session produced zero useful output.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗