[DOCS] Missing warning regarding `dangerouslyDisableSandbox` interaction with `bypassPermissions` mode
Documentation Type
Unclear/confusing documentation
Documentation Location
- URL:
https://platform.claude.com/docs/en/agent-sdk/typescript- File:docs/en/agent-sdk/typescript.md(and mirrored indocs/en/agent-sdk/python.md)
Section/Topic
- Section: Sandbox Configuration - Sub-section: Permissions Fallback for Unsandboxed Commands
Current Documentation
"WhenallowUnsandboxedCommandsis enabled, the model can request to run commands outside the sandbox by settingdangerouslyDisableSandbox: truein the tool input. These requests fall back to the existing permissions system, meaning yourcanUseToolhandler will be invoked, allowing you to implement custom authorization logic."
What's Wrong or Missing?
The documentation states that escaping the sandbox "falls back to the permissions system." However, it fails to explicitly state the security implications of this fallback when used in conjunction with specific permissionMode settings.
If a developer sets permissionMode: 'bypassPermissions' (or potentially acceptEdits if the model leverages a bash-based "edit"), and also sets allowUnsandboxedCommands: true, the model can autonomously request to disable its own sandbox. Because the "fallback" is to a permission system that is currently set to bypass all checks, the model effectively gains unprompted, unsandboxed access to the host machine. This interaction allows for a silent host escape that is not clearly warned against in the Sandbox configuration section.
Suggested Improvement
Add a high-visibility <Warning> block in the Permissions Fallback for Unsandboxed Commands section for both TypeScript and Python documentation:
<Warning>
**CRITICAL SECURITY WARNING:**
If `permissionMode` is set to `bypassPermissions`, and `allowUnsandboxedCommands` is enabled, the model can autonomously execute commands outside the sandbox without any user prompts or manual approval.
This configuration essentially allows the model to "escape" its isolation silently. Only enable `allowUnsandboxedCommands` if you have implemented a robust `canUseTool` handler that manually validates every request where `dangerouslyDisableSandbox` is true, regardless of the global permission mode.
</Warning>
Impact
High - Prevents users from using a feature
Additional Context
- Links to related documentation: This relates directly to the [Configure Permissions](/docs/en/agent-sdk/permissions) page, which describes
bypassPermissionsas something to use with "extreme caution." - Examples from other projects: Most sandbox/runtime documentation (e.g., Docker or Deno) explicitly warns that "allow" flags for one subsystem (network/filesystem) can be used to pivot and escalate privileges if the supervisor's permission gate is set to "always allow." Given that Claude Code is agentic, the risk of a "self-signed" sandbox escape is significantly higher.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗