[BUG] Bash command writing to external service executed without permission prompt

Resolved 💬 3 comments Opened Jan 25, 2026 by RavinderSinghPB Closed Jan 29, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Claude executed gh pr comment which writes to an external GitHub PR, without
showing any permission prompt. The command was NOT in my allow list, so it
should have prompted for approval before executing.

This is concerning because:

  • 1. The command writes to an external service (GitHub) - not a local operation
  • 2. I was not expecting any write operations during a code review
  • 3. The permission system was completely bypassed - no prompt was shown
  • 4. Posted content is publicly visible to collaborators

What Should Happen?

Since gh pr comment was not in my allow list, Claude should have prompted
me for permission before executing:

"Claude wants to run: gh pr comment xx --body '...'"
[Allow] [Allow for session] [Deny]

Steps to Reproduce

  1. Ensure gh pr comment is NOT in your allow list in settings
  2. Run the /code-review skill on a PR (e.g., /code-review xx)
  3. Claude executes gh pr comment <PR_NUMBER> --body "..." without prompting
  4. A comment is posted to the PR without user approval

Settings configuration (gh pr comment NOT in allow list):
{
"permissions": {
"allow": [
"Bash(gh pr view:*)",
"Bash(gh pr diff:*)"
]
}
}

Command that executed without prompt:
gh pr comment xx --body "### Code review..."

Claude Model

Opus

Is this a regression?

I don't know

Claude Code Version

2.1.19 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

VS Code integrated terminal

Additional Information

Additional Information:

  • This differs from #18613 (flag reordering bypass) and #16180 (command

chaining bypass) - this is a single, standard command with no tricks

  • The command writes to an external service (GitHub), making the lack of

permission prompt a security concern

  • Possibly related to skill/plugin execution context bypassing normal

permission checks

  • The /code-review skill instructions tell Claude to post comments, but the

permission system should still enforce user approval for commands not in the
allow list

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗