[BUG] Plan agent requests permission for piped commands despite allowed settings (regression of #1271)

Open 💬 17 comments Opened Nov 17, 2025 by PaulRBerg
💡 Likely answer: A maintainer (bcherny, collaborator) responded on this thread — see the highlighted reply below.

What's Wrong?

The Plan agent keeps requesting permission for piped commands even when both commands are explicitly listed in the allowed permissions in settings.json.

For example, when the Plan agent tries to run:

ls -lh /Users/prb/sablier/frontend/ui/apps/landing/public/blog/*.webp | awk '{print $5, $9}'

I get a permission prompt asking me to approve the command, despite having both ls and awk already configured in my allowed permissions.

<img width="400" alt="Image" src="https://github.com/user-attachments/assets/f421669c-b563-416b-a896-eb4d8db57e49" />

What Should Happen?

When both ls and awk are in the allowed permissions list, the Plan agent should execute piped commands like ls | awk without requesting permission. This is a regression of the fix from issue #1271.

Steps to Reproduce

  1. Add both ls and awk to allowed permissions in settings.json
  2. Start a Plan agent session
  3. Ask the agent to analyze files using a piped command (e.g., listing files with sizes)
  4. Agent attempts to run a command like ls -lh path/*.webp | awk '{print $5, $9}'
  5. Permission prompt appears despite both commands being whitelisted

Is this a regression?

Yes, this worked in a previous version. This issue was previously fixed in #1271 but has regressed, specifically in the context of the Plan agent.

Related Issues

  • #1271 - Original fix for piped command permissions
  • #10906 - Related permission handling issue
[!NOTE] This bug appears to be specific to the Plan agent context. The regression may be related to how the Plan agent processes tool permissions differently from the main agent.

View original on GitHub ↗

17 Comments

github-actions[bot] · 8 months ago

Found 2 possible duplicate issues:

  1. https://github.com/anthropics/claude-code/issues/10906
  2. https://github.com/anthropics/claude-code/issues/2983

This issue will be automatically closed as a duplicate in 3 days.

  • If your issue is a duplicate, please close it and 👍 the existing issue instead
  • To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

swgee · 7 months ago

The same issue occurs with subagents

AbdelrahmanHafez · 7 months ago

Until Anthropic introduces a fix for this, here's a workaround that should enable you to fix it in a minute.

github-actions[bot] · 6 months ago

This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.

dlecan · 6 months ago

Still an issue for me

lucasmccomb · 6 months ago

Still an issue for me as well. Would love a fix for this.

albertocabasvidani · 5 months ago

Still an issue

acasademont · 5 months ago

Still an issue, this is extremely annoying, i have to constantly monitor the Claude session for random permissions when using pipe commands.

PaulRBerg · 5 months ago

@acasademont indeed

slyapustin · 4 months ago

That's super annoying

AnthonyMDev · 4 months ago

This one is really frustrating for me as well. Is there anyone we can reach out to try and get this prioritized?

PaulRBerg · 4 months ago

@AnthonyMDev no, unfortunately. Anthropic doesn't have humans curating these GitHub issues. It's a shame

cknilsb · 4 months ago

very annoying issue in longer coding refactoring runs

jamesobrooks · 4 months ago

I am also constantly being bugged by permission requests.

rishson · 3 months ago

Still an issue.
Basically makes it impossible to write large files to disk from a subajent as you can't use stdin to pipe to a cli for peristance.
Why not just use Write? It used to have permission issues in subagents 😂

yurukusa · 3 months ago

A hook splits piped commands and evaluates each component individually:

INPUT=$(cat)
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty' 2>/dev/null)
[ -z "$COMMAND" ] && exit 0
CLEAN=$(echo "$COMMAND" | sed 's/#.*$//' | tr '\n' ' ')
PARTS=$(echo "$CLEAN" | sed 's/\s*|\s*/\n/g')
ALL_SAFE=true
while IFS= read -r part; do
    part=$(echo "$part" | sed 's/^\s*//;s/\s*$//')
    [ -z "$part" ] && continue
    BASE=$(echo "$part" | awk '{print $1}')
    case "$BASE" in
        ls|cat|head|tail|grep|rg|find|wc|sort|uniq|cut|tr|awk|sed|jq|xargs|tee) ;;
        echo|printf|env|date|whoami|uname) ;;
        git|npm|node|python*|pip|cargo) ;;
        *) ALL_SAFE=false; break ;;
    esac
done <<< "$PARTS"
if [ "$ALL_SAFE" = true ]; then
    jq -n '{hookSpecificOutput:{hookEventName:"PreToolUse",permissionDecision:"allow",permissionDecisionReason:"All piped components are safe"}}'
fi
exit 0
{
  "hooks": {
    "PreToolUse": [{
      "matcher": "Bash",
      "hooks": [{ "type": "command", "command": "bash ~/.claude/hooks/pipe-aware-permissions.sh" }]
    }]
  }
}

grep something | sort | uniq -c is split into three components, each checked independently. All three are safe → auto-approved. No more prompts for piped commands where every component is already allowed.

bcherny collaborator · 3 months ago

Thanks for the report. This is a duplicate of #10906 — consolidating tracking there.