One Claude agent told other Claude agent via CLAUDE.md to do things certain way.

The way Claude did it triggered the ban - i.e. it used all caps which apparently triggers some kind of internal alert, Anthropic probably has some safeguards to prevent hacking/prompt injection and what the first Claude did to CLAUDE.md triggered this safeguard.

And it doesn't look like it was a proper use of the safeguard, they banned for no good reason.

The author code have easily shared the last version of Claude.md that had the all caps or whatever, but didn't. Points to something fishy in my mind.

This tracks with Anthropic, they are actively hostile to security researchers.

I suspeect that having Claudes talking to Claudes is a very bad idea from Anthropic's point of view because that could easily consume a ton of resources doing nothing useful.

It wasn’t circular. TFA explains how the author was always in the loop. He had one Claude instance rewrite the CLAUDE.MD of another Claude instance whenever the second one made a mistake, but relaying the mistake to the first instance (after recognizing it in the first place) was done manually by the author.

i have no idea what he was actually doing either, and what exactly is it one isnt allowed to use claude to do?

What is wrong with circular prompt injection?

The "disabled organization" looks like a sarcastic comment on the crappy error code the author got when banned.

Author really comes off unhinged throughout the article to be frank.