[DOCS] Missing warning regarding `dangerouslyDisableSandbox` interaction with `bypassPermissions` mode

Resolved 💬 2 comments Opened Jan 13, 2026 by coygeek Closed Jan 17, 2026

Documentation Type

Unclear/confusing documentation

Documentation Location

  • URL: https://platform.claude.com/docs/en/agent-sdk/typescript - File: docs/en/agent-sdk/typescript.md (and mirrored in docs/en/agent-sdk/python.md)

Section/Topic

  • Section: Sandbox Configuration - Sub-section: Permissions Fallback for Unsandboxed Commands

Current Documentation

"When allowUnsandboxedCommands is enabled, the model can request to run commands outside the sandbox by setting dangerouslyDisableSandbox: true in the tool input. These requests fall back to the existing permissions system, meaning your canUseTool handler will be invoked, allowing you to implement custom authorization logic."

What's Wrong or Missing?

The documentation states that escaping the sandbox "falls back to the permissions system." However, it fails to explicitly state the security implications of this fallback when used in conjunction with specific permissionMode settings.

If a developer sets permissionMode: 'bypassPermissions' (or potentially acceptEdits if the model leverages a bash-based "edit"), and also sets allowUnsandboxedCommands: true, the model can autonomously request to disable its own sandbox. Because the "fallback" is to a permission system that is currently set to bypass all checks, the model effectively gains unprompted, unsandboxed access to the host machine. This interaction allows for a silent host escape that is not clearly warned against in the Sandbox configuration section.

Suggested Improvement

Add a high-visibility <Warning> block in the Permissions Fallback for Unsandboxed Commands section for both TypeScript and Python documentation:

<Warning>
**CRITICAL SECURITY WARNING:**
If `permissionMode` is set to `bypassPermissions`, and `allowUnsandboxedCommands` is enabled, the model can autonomously execute commands outside the sandbox without any user prompts or manual approval. 

This configuration essentially allows the model to "escape" its isolation silently. Only enable `allowUnsandboxedCommands` if you have implemented a robust `canUseTool` handler that manually validates every request where `dangerouslyDisableSandbox` is true, regardless of the global permission mode.
</Warning>

Impact

High - Prevents users from using a feature

Additional Context

  • Links to related documentation: This relates directly to the [Configure Permissions](/docs/en/agent-sdk/permissions) page, which describes bypassPermissions as something to use with "extreme caution."
  • Examples from other projects: Most sandbox/runtime documentation (e.g., Docker or Deno) explicitly warns that "allow" flags for one subsystem (network/filesystem) can be used to pivot and escalate privileges if the supervisor's permission gate is set to "always allow." Given that Claude Code is agentic, the risk of a "self-signed" sandbox escape is significantly higher.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗