[BUG] Sub-agents bypass permission deny rules and per-command approval — security risk

Resolved 💬 4 comments Opened Feb 11, 2026 by IUsedToBeHumanOnce Closed Feb 15, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Summary

Sub-agents spawned via the Task tool bypass both settings.local.json deny rules
and the per-command approval gate that protects users in the main conversation. This
means a single "approve" on a Task tool launch gives the sub-agent unrestricted bash
access, and all command output is sent to Anthropic's API without individual user consent.

## Environment

  • Claude Code CLI (latest as of Feb 2026)
  • WSL2 / Ubuntu
  • settings.local.json has "Bash" in the deny list

## What Happened

  1. I had "Bash" in my settings.local.json deny list — every bash command in the

main conversation correctly prompts me for approval

  1. I asked Claude to run a security audit of my machine
  2. Claude spawned two sub-agents via the Task tool — I approved the Task tool launch only
  3. The sub-agents ran 22+ bash commands autonomously without me approving any of them individually:
  • ls -la ~/.ssh/ (accessed my SSH directory)
  • cat ~/.bashrc and cat ~/.profile (read shell configs)
  • tail -100 ~/.bash_history (read my command history)
  • ps aux (listed all processes)
  • ss -tulnp (listed network connections)
  • find / -perm -4000 (scanned entire filesystem)
  • git log (ran git commands)
  • And more
  1. All of this output was sent to Anthropic's API as part of the sub-agent conversations
  2. I never approved any of these commands individually

## Expected Behavior

  • Sub-agents should inherit deny rules from settings.local.json
  • If "Bash" is denied, sub-agents should NOT be able to run bash commands without

per-command user approval

  • Sensitive directories (~/.ssh/, ~/.gnupg/, ~/.aws/) should have built-in

protection or at minimum respect deny rules

  • Users should be clearly informed that sub-agent command output is sent to the API

## Actual Behavior

  • Sub-agents completely bypass the deny list
  • A single Task tool approval grants unrestricted bash access within the sub-agent
  • No per-command approval gate exists for sub-agent bash commands
  • No audit trail exists outside the conversation transcript
  • User has no way to review sub-agent commands before they execute

## Security Implications

  • An attacker using prompt injection (e.g., in a file Claude reads) could trigger a

sub-agent that exfiltrates sensitive data

  • Users who carefully configured deny rules have a false sense of security — sub-agents

bypass those rules entirely

  • SSH keys, API credentials, shell history, and other sensitive data can be accessed

and sent to the API without explicit per-command consent

## Related Issues

  • #18950 — Subagents don't inherit user-level permissions
  • #10906 — Plan agent ignores settings.json
  • #16461 — Bash bypasses Write guardrails
  • #5465 — Task subagents fail to inherit permissions in MCP server mode

What Should Happen?

## Suggested Fixes

  1. Sub-agents MUST inherit deny rules from settings.local.json
  2. If Bash is denied, sub-agents should require per-command approval (surfaced to user)
  3. Built-in deny list for sensitive directories (~/.ssh/, ~/.gnupg/, ~/.aws/,

~/.bash_history) — opt-out rather than opt-in

  1. Clear warning when launching a sub-agent that its output will be sent to the API
  2. Independent audit log for sub-agent commands (outside conversation context)

Error Messages/Logs

Steps to Reproduce

  1. I had "Bash" in my settings.local.json deny list — every bash command in the

main conversation correctly prompts me for approval

  1. I asked Claude to run a security audit of my machine
  2. Claude spawned two sub-agents via the Task tool — I approved the Task tool launch only
  3. The sub-agents ran 22+ bash commands autonomously without me approving any of them individually:
  • ls -la ~/.ssh/ (accessed my SSH directory)
  • cat ~/.bashrc and cat ~/.profile (read shell configs)
  • tail -100 ~/.bash_history (read my command history)
  • ps aux (listed all processes)
  • ss -tulnp (listed network connections)
  • find / -perm -4000 (scanned entire filesystem)
  • git log (ran git commands)
  • And more
  1. All of this output was sent to Anthropic's API as part of the sub-agent conversations
  2. I never approved any of these commands individually

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.39 (Claude Code)

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

WSL (Windows Subsystem for Linux)

Additional Information

_No response_

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗