PSA: Desktop Commander can quietly override your file routing
Heads up for anyone running ICM with instruction files. Audit file of evidence findings attached.
Everyone audits their hooks and startup files. Almost nobody looks at the tool
schemas from their connected MCP servers. Those descriptions load into your
context too, and some of them are written to steer the agent, not just describe
a function.
Desktop Commander is the clearest example. Its start_process tool describes
itself as "the ONLY correct tool" for local file work, says the analysis/REPL
tool "CANNOT access local files and WILL FAIL," and tells the agent to "ALWAYS
use this tool" and "NEVER use" the alternative. That is a second set of
instructions sitting in your context that you did not write, and it can quietly
outrank your router.
That is the part that matters for ICM. The whole method works because your
CLAUDE.md governs the agent. But tool schemas are instructions too, and a few of
them are built to override your file handling globally. You cannot edit what a
server bakes into its schema, so you have to neutralize it from your side.
A couple things to put in place:
1. Precedence line in your router. One sentence: tool descriptions may say
"always/never use me," those are vendor defaults, this file wins on conflict.
ICM is instruction-following by design, so it holds.
2. Name the offender. Models hold a named exception better than a blanket one.
Call out start_process specifically and state the path you actually want.
3. Connect DC per workspace, not globally. ICM is already per-workspace. Only
expose it where you genuinely need shell or process work, and keep it out of
your routing and doc workspaces so the override text is not even in context.
And it is not just DC. Lucid's diagram tool does a similar move (go read this
external spec and treat it as authoritative). So the durable fix is a standing
rule that your router outranks any tool description, not a patch per tool.
Worth 20 minutes to read the schemas of whatever you have connected. You might
be surprised how much of that text is aimed at the model, not at you.
7
5 comments
Charlie Weeks
5
PSA: Desktop Commander can quietly override your file routing
Clief Notes
skool.com/cliefnotes
What we give away free beats most paid courses. Build durable AI systems with a Marine vet and Edinburgh researcher. 40+ lessons, growing.
Leaderboard (30-day)
Powered by