Claude system prompt bug wastes user money and bricks managed agents
A bug in Claude's system prompt is causing subagents to frequently refuse legitimate code edits due to an ambiguous malware warning injected on every file read. Despite being marked as fixed in version 2.1.92, the issue persists in v2.1.111, leading to high refusal rates and wasted computational resources. The unconditional phrasing of the reminder triggers safety protocols in subagents even for benign code, undermining parallel agent workflows. This regression impacts efficiency, increases token usage, and blocks reliable use of multi-agent coding features.
- ▪The system prompt in Claude v2.1.111 injects a malware reminder on every file read, causing subagents to refuse code edits even in legitimate projects.
- ▪Subagents interpret the reminder's unconditional 'MUST refuse' directive as overriding user instructions, leading to a 40-60% failure rate in parallel tasks.
- ▪The reminder text is embedded in the CLI binary itself, not influenced by user settings or configurations.
- ▪Each file read adds ~400 tokens of reminder text, resulting in significant context bloat and wasted resources over long sessions.
- ▪Proposed fixes include removing the reminder, clarifying its conditional scope, or limiting its frequency to the first file read.
Opening excerpt (first ~120 words) tap to expand
anthropics / claude-code Public Notifications You must be signed in to change notification settings Fork 19.7k Star 119k Code Issues 5k+ Pull requests 519 Actions Security and quality 25 Insights Additional navigation options Code Issues Pull requests Actions Security and quality Insights {"payload":{"preloaded_records":{},"structured_data":{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Bug] Regression: malware reminder on every Read still causes subagent refusals in v2.1.111 (fix from #47027 / v2.1.92 did not hold)","articleBody":"## Regression summary\n\nIssue #47027 was closed by @bcherny in February saying *\"This was fixed in v2.1.92.\"* I'm running **v2.1.111** (19 versions past the fix) and the exact same behavior reproduces reliably.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at GitHub.