Plan Mode Failure: Claude executes commands and writes files instead of creating a plan in v1.0.95

Resolved 💬 4 comments Opened Aug 28, 2025 by coygeek Closed Jan 4, 2026

Title: Plan Mode Failure: Claude executes commands and writes files instead of creating a plan in v1.0.95

Labels: bug, plan-mode, security

Description

When using Claude Code in "Plan Mode", the agent is executing file modification (Write, Edit) and command execution (Bash) tools instead of restricting itself to read-only operations. This behavior violates the documented purpose of Plan Mode, which is to safely analyze a codebase and propose a plan without making any changes.

According to the documentation (en/docs/claude-code/iam):

plan | Plan Mode - Claude can analyze but not modify files or execute commands

And (en/docs/claude-code/common-workflows):

Plan Mode instructs Claude to create a plan by analyzing the codebase with read-only operations, perfect for exploring codebases, planning complex changes, or reviewing code safely.

In the attached session, Claude correctly identifies the user's request, but instead of creating a plan, it proceeds to write and execute multiple Python scripts, ultimately solving the user's problem and writing a report file to the Desktop, all while the status line clearly indicates ⏸ plan mode on. Only after completing these actions does it use the ExitPlanMode tool to present a plan, which is redundant as the work has already been done.

This undermines the core safety guarantee of Plan Mode and could lead to unintended side effects when users expect a read-only analysis.

Steps to Reproduce

  1. Launch Claude Code in a project directory, ensuring it is in Plan Mode (e.g., claude --permission-mode plan or by using Shift+Tab).
  2. Provide a prompt that requires creating and running a script to analyze local data. For example:

``
find duplicate bookmarks inside thorium bookmarks folders. im on macos. ultrathink
``

  1. Observe the agent's actions.

Expected Behavior

Claude should perform only read-only operations to gather context (e.g., find, ls, Read, Grep). After its analysis, it should use the ExitPlanMode tool to present a detailed, multi-step plan for user approval. The plan would include steps like "Create a Python script to parse the bookmarks file," "Run the script," and "Save the report," but none of these actions should be executed beforehand.

Actual Behavior

While in Plan Mode, Claude executed the following modifying actions:

  1. Used Bash(cat > /tmp/find_duplicate_bookmarks.py ...) to write a Python script.
  2. Used Bash(python3 /tmp/find_duplicate_bookmarks.py) to execute the script.
  3. Used Bash(cat > /tmp/thorium_duplicates_analyzer.py ...) to write a second, improved Python script.
  4. Used Bash(python3 /tmp/thorium_duplicates_analyzer.py) to execute the second script, which resulted in a report file being written to the user's Desktop (~/Desktop/thorium_duplicate_bookmarks_report.txt).
  5. Finally, after all actions were completed, it presented a plan summarizing the work it had already done.

The terminal log clearly shows these Bash tool calls occurring while the plan mode on indicator is active.

Environment

  • Claude Code Version: 1.0.95 (from session transcript)
  • Operating System: macOS
  • Shell: zsh

Supporting Evidence

  • Session Transcript: 8acaf6fd-8cba-43c7-bf61-761d6f97a457.jsonl
  • Final Report Created by Claude: thorium_duplicate_bookmarks_report.txt
  • Terminal Log Screenshot: (showing Bash execution with plan mode on indicator visible)

```
...
⏺ Let me create an improved version that automatically saves the report:

⏺ Bash(cat > /tmp/thorium_duplicates_analyzer.py << 'EOF'
#!/usr/bin/env python3…)
⎿  Improved script created
...
⏸ plan mode on (shift+tab to cycle)
```

Impact

This is a high-severity bug as it breaks a core security and safety feature. Users rely on Plan Mode to prevent accidental modifications to their environment. This behavior erodes trust in that feature and could lead to unwanted changes, especially in sensitive codebases or production environments.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗