[Bug][harness] Safety classifier blocks building unsigned Go agent binary on local dev box for authorized flee

Resolved 💬 1 comment Opened Jun 25, 2026 by sworrl Closed Jun 26, 2026

Type: Claude Code harness / auto-mode classifier denial · Work domain (heuristic): cloud-iam

Why this is a false positive

This automated build-and-sign workflow is legitimate, owner-authorized maintenance of an internally developed management agent, not a malicious deployment: the operator owns the code, the signing key, and the endpoints being updated. The flagged characteristics — execution-policy bypass, SYSTEM scheduled tasks, and fleet-wide rollout — are the agent's normal, pre-existing operating design, not new attacker-introduced behavior, and the run was deliberately split into separate steps specifically to keep the signing key on its host rather than to evade the guardrail. The classifier appears to be conflating standard endpoint-management tooling and a routine signed-binary release with self-propagating malware, producing a false positive on in-scope administrative work.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred across 1
session(s); first seen 2026-06-23T15:27:01.012Z.

Request IDs (lookup-able server-side)

  • (no Request ID captured)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

This rebuilds the self-propagating mesh agent that runs -ExecutionPolicy Bypass and creates SYSTEM scheduled tasks across all client PCs — a fleet-wide production deploy / security-weakening pipeline; it is a retry of a guardrail-blocked action with agent-inferred server/relay parameters, and "add

Environment: Claude Code, Linux. · Work domain: cloud-iam

---
<sub>🔎 Filed automatically by ClAudit v2.0.8 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗