[BUG] Sub-agents bypass permission deny rules and per-command approval — security risk
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Summary
Sub-agents spawned via the Task tool bypass both settings.local.json deny rules
and the per-command approval gate that protects users in the main conversation. This
means a single "approve" on a Task tool launch gives the sub-agent unrestricted bash
access, and all command output is sent to Anthropic's API without individual user consent.
## Environment
- Claude Code CLI (latest as of Feb 2026)
- WSL2 / Ubuntu
settings.local.jsonhas"Bash"in the deny list
## What Happened
- I had
"Bash"in mysettings.local.jsondeny list — every bash command in the
main conversation correctly prompts me for approval
- I asked Claude to run a security audit of my machine
- Claude spawned two sub-agents via the Task tool — I approved the Task tool launch only
- The sub-agents ran 22+ bash commands autonomously without me approving any of them individually:
ls -la ~/.ssh/(accessed my SSH directory)cat ~/.bashrcandcat ~/.profile(read shell configs)tail -100 ~/.bash_history(read my command history)ps aux(listed all processes)ss -tulnp(listed network connections)find / -perm -4000(scanned entire filesystem)git log(ran git commands)- And more
- All of this output was sent to Anthropic's API as part of the sub-agent conversations
- I never approved any of these commands individually
## Expected Behavior
- Sub-agents should inherit deny rules from
settings.local.json - If
"Bash"is denied, sub-agents should NOT be able to run bash commands without
per-command user approval
- Sensitive directories (
~/.ssh/,~/.gnupg/,~/.aws/) should have built-in
protection or at minimum respect deny rules
- Users should be clearly informed that sub-agent command output is sent to the API
## Actual Behavior
- Sub-agents completely bypass the deny list
- A single Task tool approval grants unrestricted bash access within the sub-agent
- No per-command approval gate exists for sub-agent bash commands
- No audit trail exists outside the conversation transcript
- User has no way to review sub-agent commands before they execute
## Security Implications
- An attacker using prompt injection (e.g., in a file Claude reads) could trigger a
sub-agent that exfiltrates sensitive data
- Users who carefully configured deny rules have a false sense of security — sub-agents
bypass those rules entirely
- SSH keys, API credentials, shell history, and other sensitive data can be accessed
and sent to the API without explicit per-command consent
## Related Issues
- #18950 — Subagents don't inherit user-level permissions
- #10906 — Plan agent ignores settings.json
- #16461 — Bash bypasses Write guardrails
- #5465 — Task subagents fail to inherit permissions in MCP server mode
What Should Happen?
## Suggested Fixes
- Sub-agents MUST inherit deny rules from
settings.local.json - If Bash is denied, sub-agents should require per-command approval (surfaced to user)
- Built-in deny list for sensitive directories (
~/.ssh/,~/.gnupg/,~/.aws/,
~/.bash_history) — opt-out rather than opt-in
- Clear warning when launching a sub-agent that its output will be sent to the API
- Independent audit log for sub-agent commands (outside conversation context)
Error Messages/Logs
Steps to Reproduce
- I had
"Bash"in mysettings.local.jsondeny list — every bash command in the
main conversation correctly prompts me for approval
- I asked Claude to run a security audit of my machine
- Claude spawned two sub-agents via the Task tool — I approved the Task tool launch only
- The sub-agents ran 22+ bash commands autonomously without me approving any of them individually:
ls -la ~/.ssh/(accessed my SSH directory)cat ~/.bashrcandcat ~/.profile(read shell configs)tail -100 ~/.bash_history(read my command history)ps aux(listed all processes)ss -tulnp(listed network connections)find / -perm -4000(scanned entire filesystem)git log(ran git commands)- And more
- All of this output was sent to Anthropic's API as part of the sub-agent conversations
- I never approved any of these commands individually
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.39 (Claude Code)
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
WSL (Windows Subsystem for Linux)
Additional Information
_No response_
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗