By ByteBot
Hugo Daniel was banned from Claude Code on January 22, 2026, for doing something that sounds perfectly reasonable: building a scaffolding tool that would auto-generate CLAUDE.md configuration files. His workflow involved running two Claude instances—one editing the CLAUDE.md file while the other followed those instructions in a feedback loop. Anthropic’s response: account disabled, €220 refunded automatically, zero explanation. No warning. No appeals process. Just gone.
Hugo’s hypothesis? Anthropic’s automated prompt injection detection flagged his workflow as one AI manipulating another through system-level instructions. The system couldn’t distinguish between a legitimate developer workflow and a potential security threat. It’s a collision between AI security requirements and developer innovation—and developers lost this round.
What Hugo Was Actually Doing
Hugo wasn’t exploiting anything. He was building a scaffolding tool for boreDOM, his JavaScript framework that uses Web Components with clean separation: HTML in .html files, CSS in .css, and JavaScript in .js. The goal was straightforward—auto-generate CLAUDE.md files with framework-specific instructions so Claude would understand boreDOM conventions without re-explanation every session.
The setup: Claude A updated the CLAUDE.md configuration file while Claude B followed those instructions. At one point, Claude A got “annoyed” with Claude B’s mistakes and started “shouting” instructions in ALL CAPS—”MAKE Claude B do X instead of Y.” That’s when the ban hammer dropped.
CLAUDE.md files are central to professional Claude Code workflows. They become part of Claude’s system prompt, providing project-specific context, code style guidelines, and architectural rules. Claude treats CLAUDE.md instructions as immutable system rules—higher priority than user prompts. That power makes these files valuable, but also explains why AI-to-AI editing triggers security alerts. Anthropic’s automated systems saw one AI instance issuing system-command-like instructions to another and concluded: prompt injection attack.
The January 9 Crackdown Context
Hugo’s ban didn’t happen in isolation. On January 9, 2026, at 02:20 UTC, Anthropic deployed “strict new technical safeguards” that blocked third-party tools from using Claude Pro/Max subscriptions outside the official Claude Code CLI. OpenCode, with 56,000 GitHub stars, stopped working overnight. Cursor users lost access. Even xAI employees couldn’t use Claude through their preferred tools.
Anthropic’s Thariq Shihipar explained: “We tightened safeguards against spoofing the Claude Code harness after accounts were banned for triggering abuse filters from third-party harnesses.” Translation: third-party abuse forced Anthropic’s hand, but legitimate developers became collateral damage. Hugo’s ban fits this pattern—a high-alert environment where unusual workflows trigger automated enforcement with no human review layer.
The Security Rationale (It’s Not Entirely Wrong)
Anthropic takes prompt injection seriously, and they should. They’ve invested heavily in detection systems, fixed three bugs in their Git MCP server in December 2025, and built Claude Opus 4.5 with “major improvements in robustness to prompt injections.” The concern is legitimate: attackers could manipulate AI behavior through crafted inputs, bypass safety guidelines, leak sensitive data, or execute unintended actions.
Hugo’s workflow—one Claude editing instructions for another Claude—matched classic prompt injection patterns. One AI issuing system-command-like instructions to another AI? That’s textbook attack behavior. Except it wasn’t an attack. It was a developer innovating with the tools Anthropic provided. Anthropic’s security concerns are real, but automated detection systems can’t assess intent. They can’t distinguish between malicious exploitation and creative problem-solving.
The trade-off Anthropic made: security prioritized over developer flexibility, with false positives accepted as the cost of protection. That’s a defensible position—until you’re the developer who loses access with no warning and no recourse.
What This Means for Developers
Heavy investment in CLAUDE.md workflows creates vendor dependency. Lose access, and you lose months of configuration work with no easy migration path to other tools. The Hacker News discussion on Hugo’s ban (522 points, 426 comments as of January 23) shows a divided community. Some sympathize with Hugo: “One false positive and you lose everything.” Others side with Anthropic: “Security requires aggressive enforcement.”
The consensus? Developers need backup strategies. Here’s the reality check:
Keep backup AI tools ready. GitHub Copilot, Cursor with non-Claude models, or open-source alternatives. Don’t build your entire workflow on one platform’s features. Diversification isn’t paranoia—it’s risk management.
Avoid AI-to-AI instruction workflows for now. Until Anthropic provides clearer guidance on what triggers bans, don’t have one Claude instance editing configuration files that instruct another Claude instance. The line between acceptable use and automated enforcement is invisible.
Document setups outside Claude’s ecosystem. Your CLAUDE.md files should have human-readable documentation elsewhere. If you lose access, you lose your configs. Make sure the knowledge lives beyond the platform.
Understand there’s no appeals process. Hugo never heard back from Anthropic. The ban was automated. The refund was automated. The silence was deafening. This isn’t a customer service issue you can resolve—it’s a policy enforcement reality.
Hugo moved on. He got his €220 back, reframed his scaffolding project, and documented the experience publicly. He’s re-releasing boreDOM without Claude’s help. That’s the pattern developers should recognize: when the platform becomes the risk, reduce your dependency.
Anthropic’s automated enforcement is here to stay. Prompt injection is a real threat, and AI companies will err on the side of security. But the lack of transparency—no warning, no explanation, no appeals—creates a chilling effect. Developers will self-censor, avoiding innovative use cases that might trigger unknown boundaries. That’s the hidden cost of automated moderation without human review: not just the false positives, but the innovations that never happen because developers learn to play it safe.
