Skill deny rules in settings.json do not block user-initiated slash commands
Summary
Deny rules for skills in settings.local.json (or settings.json) are not enforced when a skill is invoked directly by the user as a slash command.
Steps to Reproduce
- Add a skill to the deny list in
.claude/settings.local.json:
``json``
{
"permissions": {
"deny": ["Skill(research_codebase)"]
}
}
- Type
/research_codebaseas a slash command in a Claude Code session. - Observe that Claude executes the skill instructions despite the deny rule.
Expected Behavior
Claude should decline to execute the skill, consistent with how the deny rule behaves when the Skill tool is called programmatically.
Actual Behavior
When invoked as a slash command, the skill prompt is expanded and injected into the conversation context before the permission check fires. Claude then follows the injected instructions, bypassing the deny rule entirely.
When Claude itself calls Skill(research_codebase) via the tool, the deny rule correctly blocks execution with: Skill execution blocked by permission rules.
Environment
- Platform: macOS (darwin 25.3.0)
- Shell: zsh
Suggested Fix
Slash command expansion should be gated against the deny list before the skill prompt is injected into the conversation.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗