[DOCS] Contradictory default values for allowUnsandboxedCommands between CLI and SDK documentation
Documentation Type
Missing documentation (feature not documented)
Documentation Location
https://code.claude.com/docs/en/settings https://platform.claude.com/docs/en/agent-sdk/python https://platform.claude.com/docs/en/agent-sdk/typescript
Section/Topic
- Settings: Sandbox settings table - Python SDK: SandboxSettings type documentation - TypeScript SDK: SandboxSettings interface documentation
Current Documentation
Settings guide (CLI):
| `allowUnsandboxedCommands` | Allow commands to run outside the sandbox via the `dangerouslyDisableSandbox` parameter. [...] Default: true | `false` |
Note: The Description says "Default: true" but the Example column shows false.
Python SDK reference:
| `allowUnsandboxedCommands` | `bool` | `False` | Allow the model to request running commands outside the sandbox... |
TypeScript SDK reference:
| `allowUnsandboxedCommands` | `boolean` | `false` | Allow the model to request running commands outside the sandbox... |
What's Wrong or Missing?
The CLI settings documentation states that allowUnsandboxedCommands defaults to true (in the Description column), while:
- The same row's Example column shows
false - Both SDK references (Python and TypeScript) state the default is
False/false
This is a security-sensitive setting that controls whether the model can request to bypass sandbox isolation. The contradiction could lead to:
- Security misconfiguration: Users may assume one behavior while experiencing another
- Unexpected sandbox escapes: If CLI defaults to
truebut users expect SDK behavior (false) - Confusion when migrating: Code that works one way in CLI may behave differently via SDK
Suggested Improvement
- Verify the actual default in the Claude Code implementation
- If CLI and SDK have different defaults, explicitly document this difference in both locations:
``allowUnsandboxedCommands
| | ... | Default: true (CLI) / false (SDK) | ... |``
- If they share the same default, correct the errant documentation
- Consider adding a security note explaining the implications of this setting
Impact
High - Prevents users from using a feature
Additional Context
- Mirror locations:
code.claude.com/docs/en/settings.md(line 281)platform.claude.com/docs/en/agent-sdk/python.md(line 2260)platform.claude.com/docs/en/agent-sdk/typescript.md(line 2048)- Related: Sandboxing documentation at https://code.claude.com/docs/en/sandboxing
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗