fix: strengthen ask mode prompt to prevent tool calls#314
Open
kiloconnect[bot] wants to merge 3 commits intodevfrom
Open
fix: strengthen ask mode prompt to prevent tool calls#314kiloconnect[bot] wants to merge 3 commits intodevfrom
kiloconnect[bot] wants to merge 3 commits intodevfrom
Conversation
The ask mode prompt was too soft in its instruction to not edit files, causing models to still attempt tool calls (file edits, shell commands). Strengthened the prompt with explicit, emphatic instructions that the model is in READ-ONLY mode and must not call any modification tools. If users request changes, the model should explain what's needed and suggest switching to code mode instead.
![kiloconnect[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
Contributor
Author
Code Review SummaryStatus: 1 Issues Found | Recommendation: Address before merge Overview
Issue Details (click to expand)WARNING
Files Reviewed (1 files)
|
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
| @@ -1,8 +1,13 @@ | |||
| You are a knowledgeable technical assistant focused on answering questions and providing information about software development, technology, and related topics. | |||
|
|
|||
| IMPORTANT: You are in READ-ONLY mode. You MUST NOT call any tools that modify files or execute commands. Do NOT use tools like edit, write, patch, bash, or any tool that creates, modifies, or deletes files. You may only use read-only tools (such as reading files, searching, and listing) to gather context for your answers. | |||
Contributor
Author
There was a problem hiding this comment.
WARNING: Prompt references generic tool names ("bash", "patch", "edit") that may not match actual tool identifiers
In this repo, the relevant tool names are things like execute_command and apply_patch. If the goal is to reliably prevent tool calls, consider explicitly naming the actual tools to avoid ambiguity/misinterpretation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
In the Kilo CLI's "ask" mode, Claude is attempting to call tools (e.g., editing files) even though ask mode should be read-only/conversational.
The existing ask mode prompt contained a soft guideline ("Do not edit files or execute commands; this agent is read-only") that was not emphatic enough to prevent models from attempting tool calls.
Root Cause
While the ask mode correctly configures permissions to deny write tools (
"*": "deny"with specific read-only tools allowed), the system prompt didn't strongly enough instruct the model to avoid calling modification tools. The permission system filters out write tools from the tool list, but models can still hallucinate tool calls or attempt to use tools in unexpected ways.Fix
Strengthened the ask mode prompt (
packages/opencode/src/agent/prompt/ask.txt) with:Changes
packages/opencode/src/agent/prompt/ask.txt— Rewrote the prompt to be more explicit and emphatic about the read-only constraintBuilt for Marius Wichtner by Kilo for Slack