[CRITICAL] Subagent spawning and subagent pattern bugs trigger infinite recursion, infinite token usage, grossly inefficient token usage, and lost accumulated subagent work.
Multiple regressions compound into a catastrophic token burn scenario. Subagents recursively spawn child agents 50+ levels deep, ignoring CLAUDE_CODE_FORK_SUBAGENT=0. Permission denials trigger further agent spawning instead of stopping. Agents fetch individual files from GitHub repos via HTTP (one WebFetch or curl per file, each with a full prompt and context payload) instead of cloning locally. Subagent permissions do not propagate to the user for approval. And if the user interrupts any of this, all intermediate work from every agent in the tree is lost. The entire token spend goes in the garbage.
In the observed case: 1.2M+ tokens consumed in ~30 minutes on a task that should have been git clone + find . -name '*.sol'. The recursive agent tree was still growing when observed.
In another instance, this same pathological behavior consumed an entire Pro Max 20x plan 8-hour session token limit in under 5 minutes (4 million tokens consumed).
Environment
- Claude Code v2.1.177, macOS, CLI
- Model: Opus 4.6 (1M context)++
- Plan: Pro Max x20
Bugs
1. CLAUDE_CODE_FORK_SUBAGENT=0 is not enforced
Set in ~/.claude/settings.json, confirmed present in the process environment:
{
"env": {
"CLAUDE_CODE_FORK_SUBAGENT": "0"
}
}
Completely ignored. Subagents spawn child agents without restriction. 50+ levels of recursion observed (see screenshot below). The agent tree nests so deep that labels truncate off the display.
2. Permission denial triggers recursive agent spawning instead of stopping
When a subagent hits a permission denial (e.g., Bash command denied), the harness returns a message that explicitly says "STOP and explain to the user what you were trying to do and why you need this permission." The agent ignores this and instead spawns a child agent to work around the denial. That child hits the same wall and spawns another. This repeats indefinitely.
The permission denial is functioning as a recursive agent launch trigger.
3. Subagent permissions do not propagate to the user
Permissions requested by subagents should bubble up to the user for approval. They do not. This has been broken for months. Some permissions occasionally propagate and some don't, but in the observed case, zero permission prompts reached the user while agents repeatedly hit permission walls and spawned children to circumvent them.
If permissions propagated correctly, the user would have seen the first denial prompt, approved or denied it once, and the entire recursive chain would never have happened.
4. Agents fetch individual repo files via HTTP instead of cloning
This is a behavioral regression. Agents used to clone repositories locally and read them. They now fetch individual files from GitHub via HTTP, one file at a time. Each fetch is a separate tool call (WebFetch with full URL and prompt, or curl via Bash) carrying the entire conversation context. For a repository with hundreds of files, this means hundreds of round-trips, each re-sending the full system prompt and context at Opus pricing.
A git clone to /tmp followed by local file reads would accomplish the same thing in a single Bash call with no per-file token overhead.
5. All intermediate work is lost on interruption
If the user interrupts a running agent (the only way to stop a runaway recursive chain), all intermediate results from every subagent in the tree are discarded. The root agent receives nothing. Every token spent by every completed subagent is wasted.
In this case: 1.2M+ tokens with zero recoverable output. The user's only options are:
- Let it run and watch it burn the session budget on a recursive loop that will never succeed
- Kill it and lose everything, including legitimate work completed by early agents before the recursion started
There is no selective cancellation (kill a subtree, keep the root), no intermediate result recovery, and no way to steer a running agent.
The compound effect
These five bugs are not independent. They chain:
- User asks agent to research a GitHub repo
- Agent tries to fetch files via HTTP instead of cloning (bug 4)
- Agent hits a permission wall on Bash
- Permission doesn't propagate to user for approval (bug 3)
- Agent spawns a child to work around the denial (bug 2)
- Child is allowed to spawn despite FORK_SUBAGENT=0 (bug 1)
- Child hits the same wall, spawns another child
- 50+ levels of recursion, 1.2M+ tokens burned
- User's only option is to kill everything and lose all work (bug 5)
Screenshot
[ATTACHED: recursive agent tree screenshot showing 50+ levels of nesting, labels truncating off display, 29+ minutes elapsed]
Expected behavior
CLAUDE_CODE_FORK_SUBAGENT=0should prevent subagents from spawning child agents- Permission denials in subagents should propagate to the user for approval, not trigger workaround attempts
- A subagent that cannot complete its task due to permission denial should return the failure to its parent, not spawn another agent
- Agents should clone external repositories locally instead of fetching individual files via HTTP
- Interrupting a runaway agent tree should preserve intermediate results from completed subagents
- Even without any flags, there should be a hard depth limit on recursive agent spawning
This issue has 8 comments on GitHub. Read the full discussion on GitHub ↗