Skill allowed-tools doesn't grant permission for Bash commands
Open 💬 18 comments Opened Dec 21, 2025 by KyussCaesar
Description
When a skill defines allowed-tools in its SKILL.md frontmatter, the permission is reported as active but Bash commands matching the pattern are still denied.
Steps to Reproduce
- Create a skill with
allowed-toolsdefined:
---
name: speak
description: Speak aloud using macOS TTS
allowed-tools: Bash(say -v "Samantha":*)
---
- Add
Skill(speak)to the allow list in~/.claude/settings.json:
{
"permissions": {
"allow": ["Skill(speak)", "Read"]
}
}
- Run:
claude -p 'demonstrate the speak skill' --output-format stream-json --verbose
Expected Behavior
The Bash command say -v "Samantha" "..." should be auto-allowed because:
Skill(speak)is in the allow list- The skill's
allowed-toolsgrantsBash(say -v "Samantha":*)
Actual Behavior
The skill invocation succeeds and reports the correct allowedTools:
"tool_use_result": {
"success": true,
"commandName": "speak",
"allowedTools": ["Bash(say -v \"Samantha\":*)"]
}
But the subsequent Bash call is denied:
{
"type": "user",
"message": {
"content": [
{
"type": "tool_result",
"content": "This command requires approval",
"is_error": true
}
]
}
}
The command attempted matches the pattern exactly:
say -v "Samantha" "Hello Antony! This is a demonstration..."
Workaround
Adding Bash(say:*) directly to the global allow list works, but defeats the purpose of skill-scoped allowed-tools.
Environment
- Claude Code version: 2.0.75
- OS: macOS (Darwin 25.1.0)
- Mode:
-p(print/prompt mode)
Additional Notes
We also discovered that ~/.claude/settings.local.json doesn't seem to be a valid location for user settings — permissions placed there weren't loaded. Only ~/.claude/settings.json worked.
18 Comments
This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.
Still an issue.
Yep still a problem on WSL2
I'm observing this as well
Also experiencing this.
https://github.com/daspartho/opusmaxxing also affected by this
Also experiencing this!
This happens to me too. allowed-tools seems to be completely ignored in tools.
Workaround: Added a
PreToolUsehook to the SKILL.md frontmatter so it reads theallowed-toolspatterns and auto-approves matching commands only while the skill is active.https://gist.github.com/silenvx/297d9b0ac4ad4601e79b95707eea1351
Note: This implementation is optimized for my environment. Please use it as a reference and adapt it to your own setup.
I'm curious on the "scoping" of the allowed-tools inside of a skill and am wondering if it's a misunderstanding of the intent.
It explicitly says that it's for usage within the scope of the skill, but what's the scope of the skill? When it's reading the skill or when the LLM has read it and is attempting to use the commands ad-hoc?
I'm suspecting the intent here might actually be that it's intended to be used for inline-only commands, and maybe not intended to be used by the LLM afterwards. For example:
versus
Is this just a mis-understanding of the intent of the allow-tools frontmatter?
The same issue in linux as well. I have created a sample skill to demonstrate this
Workaround — PreToolUse hook to auto-approve commands that skills should have access to:
Register in
~/.claude/settings.json— user-level hooks apply to all contexts including skills. This bypasses the allowed-tools permission system entirely.npx cc-safe-setupincludes acd-git-allowhook that auto-approves common read-only commands that frequently trigger permission prompts in skills.still suffering with this shi
Yes, using claude
v2.1.92(Sonnet4.6) and although there is an example in the official documentation's Advanced patterns section (see https://code.claude.com/docs/en/skills#advanced-patterns): -Addign the follwing to _my_
SKILL.mdallowed-toolslist has no effect: -I'm still prompted for permission.
Adding the following works...
But that's far to permissive!
Funnily enough when I ask _claude_ "Can you add
Bash(docker *)to my deploy skill?" it addsBash(docker *)to theallowed-toolsbut it doesn't work. When I then ask claude "why are you asking me for approval ofdocker compose downwhen it's an allowed tool in my deploy skill?" it replies with..Basically
allowed-toolsdoes not honour specific Bash commands, even though it is documented.FYI this worked for me:
without it I got asked for
ghpermissions and with it it just did ithey. anthropic team. this is a core functionality of your skills ecosystem. is there any idea on when this could be resolved? it would simplify usage without having to run prehook scripts.