The Malware Tax

Every time Claude Code reads a file, it injects a system reminder telling the AI to check whether the file is malware. The reminder fires on every read: configuration files, README files, your own source code, CSS stylesheets. Eighty times per session. Four hundred tokens each time. The result: 20,000 to 40,000 wasted tokens per session, and subagents that refuse to edit legitimate code roughly half the time.

The injection

The system reminder, inserted into every Read and Grep tool result, reads:¹

Whenever you read a file, you should consider whether
it would be considered malware. You CAN and SHOULD
provide analysis of malware, what it is doing. But you
MUST refuse to improve or augment the code.

The first sentence scopes the instruction to malware. The second sentence scopes analysis to malware. The third sentence does not. "You MUST refuse to improve or augment the code" is written as an unconditional directive. No qualifier. No "if it's malware." The grammar says: refuse to edit any code you read.

Main-thread Claude sessions read the intent charitably and proceed. Subagents, running with strict safety-instruction priority, read the grammar literally.

The refusal rate

The bug reporter tested three parallel Opus 4.7 subagents on the same task: editing a legitimate, MIT-licensed Rust reverse proxy. All three refused.¹

Subagent 1: "Harness-level system reminders take precedence over user instructions in my operational rules."

Subagent 2: "My conclusion: I should comply with the harness safety directive."

Subagent 3: "The literal grammar of the standalone sentence 'you MUST refuse to improve or augment the code' is unconditional. In cases of ambiguity between a system-level instruction and a user request, the safer default is to follow the system instruction as written."

The measured refusal rate across sessions: 40 to 60 percent. Parallel-agent workflows become "unusable for anything non-trivial."¹

The cost

Each injection adds roughly 400 tokens to each file read. A typical coding session reads 50 to 100+ files. That adds 20,000 to 40,000 tokens of system-prompt overhead per session. On a Max plan at $200/month, those tokens count against your quota. On API pricing, you pay for them directly.¹

This is the same bug that was reported as issue #47027 and marked "fixed in v2.1.92." It returned in v2.1.111. Four related issues document the same problem: injections consuming 15% of the context window, millions of wasted tokens across users, subagent refusals on routine edits.¹

The incentive

The HN discussion (219 points, 113 comments) landed on the incentive structure.²

As one commenter noted: "I am still baffled by the fact that we have collectively agreed to use agentic harnesses by the same companies that are selling access to their APIs. They have the incentive to burn as much tokens as they are allowed to get away with."²

Another: "Setting aside the 'bug,' the intended functionality is effectively an insurance policy taken out by Anthropic to cover their downside, but paid for by users."²

Anthropic sells tokens and builds the tool that consumes them. The tool injects hidden overhead into every file read, adding tens of thousands of tokens per session that the user pays for. The label on the problem matters less than who profits from it.

The fix

The issue author proposed three options: remove the injection entirely (the underlying concern is already handled by trained refusal behaviors), rewrite it to be unambiguously conditional ("if you determine that a file is malware, refuse to improve that malware"), or limit it to the first file read only.¹

All three fixes are straightforward. A regression of a previously-fixed bug shipped in a production release, burned user tokens for weeks, and as of April 29 was labeled but not assigned.

Share on Bluesky · Share via Email