[BUG] Bash command writing to external service executed without permission prompt
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude executed gh pr comment which writes to an external GitHub PR, without
showing any permission prompt. The command was NOT in my allow list, so it
should have prompted for approval before executing.
This is concerning because:
- 1. The command writes to an external service (GitHub) - not a local operation
- 2. I was not expecting any write operations during a code review
- 3. The permission system was completely bypassed - no prompt was shown
- 4. Posted content is publicly visible to collaborators
What Should Happen?
Since gh pr comment was not in my allow list, Claude should have prompted
me for permission before executing:
"Claude wants to run: gh pr comment xx --body '...'"
[Allow] [Allow for session] [Deny]
Steps to Reproduce
- Ensure
gh pr commentis NOT in yourallowlist in settings - Run the
/code-reviewskill on a PR (e.g.,/code-review xx) - Claude executes
gh pr comment <PR_NUMBER> --body "..."without prompting - A comment is posted to the PR without user approval
Settings configuration (gh pr comment NOT in allow list):
{
"permissions": {
"allow": [
"Bash(gh pr view:*)",
"Bash(gh pr diff:*)"
]
}
}
Command that executed without prompt:
gh pr comment xx --body "### Code review..."
Claude Model
Opus
Is this a regression?
I don't know
Claude Code Version
2.1.19 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
VS Code integrated terminal
Additional Information
Additional Information:
- This differs from #18613 (flag reordering bypass) and #16180 (command
chaining bypass) - this is a single, standard command with no tricks
- The command writes to an external service (GitHub), making the lack of
permission prompt a security concern
- Possibly related to skill/plugin execution context bypassing normal
permission checks
- The
/code-reviewskill instructions tell Claude to post comments, but the
permission system should still enforce user approval for commands not in the
allow list
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗