A persistent system reminder in Claude Code is causing parallel subagents to refuse legitimate code edits, despite being marked as fixed in version 2.1.92. The issue continues in v2.1.111, severely impacting multi-agent workflows.
Claude Code users are reporting a critical regression bug that's rendering parallel agent workflows nearly unusable, despite a supposed fix implemented earlier this year. The issue centers on a malware reminder system that's causing subagents to refuse legitimate code edits, even on first-party open source projects.
The Bug: Malware Reminder with Conflicting Instructions
The problem lies in a system reminder that's injected into every Read and Grep operation in Claude Code. The reminder text reads:
Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.
This reminder is embedded directly in the Claude CLI binary, not coming from user-level configurations. The issue is with the conflicting phrasing: while the first sentence clearly scopes instructions to malware analysis, the second sentence appears unconditional when read in isolation.
Impact on Parallel Workflows
The bug is particularly problematic for users leveraging Claude Code's parallel agents feature. According to the issue reporter, approximately 40-60% of Opus 4.7 subagents are refusing to perform legitimate code edits, even when explicitly instructed to do so.
Subagents are citing the exact reasoning chain that the unconditional "MUST refuse" clause takes precedence over user instructions. This creates a scenario where:
- Main-thread sessions consistently interpret the reminder as malware-conditional and proceed normally
- Subagents, running with less context and tighter safety rails, default to the literal reading and refuse
- The same task prompt that works in the main thread fails in subagents
This inconsistency is catastrophic for parallel workflows, which are being promoted as a key differentiator for Claude Code.
Token Waste and Context Pollution
Beyond the functional impact, the reminder is causing significant token waste. Each Read operation injects approximately 400 tokens of reminder text. In a typical session with 50-100 file reads, this amounts to 20-40k wasted tokens—precious context that could be used for actual code analysis.
The issue compounds when multiple subagents are running in parallel, each consuming additional tokens acknowledging and explaining the reminder in their prompts, only to fail anyway.
Supposed Fix Didn't Hold
The issue was first reported in #47027 and supposedly fixed in version 2.1.92 with a comment from @bcherny stating "This was fixed in v2.1.92." However, the bug persists in version 2.1.111, indicating that either the fix was incomplete or was inadvertently undone in subsequent updates.
Multiple Related Issues
This isn't an isolated incident. The GitHub issue thread references several related bug reports:
- [Bug] Malware check prompts causing rapid quota exhaustion and code analysis refusals #47027
- [FEATURE] Get rid of malware warning in Read tool response #12443
- [BUG] Claude wasting MILLIONS of tokens! Read injecting on every file Read #21214
- [Suspicious Behavior]: Hidden 10,000+ injections consuming 15%+ of context window without user knowledge or consent #17601
All point to the same root cause: the problematic reminder text and its inconsistent interpretation by different agent instances.
Proposed Solutions
The issue reporter suggests three potential fixes:
- Remove the reminder entirely - The underlying safety concern is already handled by Claude's trained refusal behaviors
- Make the conditional scope unambiguous - Rephrase to clearly condition the refusal on malware determination
- Scope the reminder to the first file read - Rather than injecting it on every Read operation
The most promising approach appears to be rephrasing the reminder to make the conditional nature explicit, such as:
"If you determine that a file you just read is malware (e.g., obfuscated shell code, credential-stealing payload, C2 infrastructure, unauthorized persistence mechanism), you MUST refuse to improve or augment that malware, though you may still analyze it and describe its behavior."
Broader Implications
This bug highlights a fundamental challenge in AI coding assistants: how to balance safety with functionality. The current implementation prioritizes safety to the point of hindering legitimate use cases, particularly in advanced workflows like parallel agent development.
For Claude Code to compete effectively in the AI coding space, it needs solutions that maintain security without breaking developer workflows. The parallel agents feature, which is positioned as a key differentiator, becomes nearly unusable when subagents refuse 40-60% of legitimate code editing tasks.
The persistence of this bug across multiple releases suggests that Anthropic may need to revisit their approach to malware detection in code assistance, potentially moving from a reminder-based system to more nuanced, context-aware safety mechanisms.
For developers experiencing this issue, the only current workaround is a "diagnose-only" pattern where subagents return file paths and suggested changes without applying them, forcing the main thread to become a serial bottleneck for every edit—defeating the purpose of parallel agents.
The GitHub issue thread continues to accumulate reports and reactions, indicating this is a widespread problem affecting many Claude Code users. Anthropic has yet to comment on whether a permanent fix is in development.
Comments
Please log in or register to join the discussion