Skill deny rules in settings.json do not block user-initiated slash commands

Resolved 💬 3 comments Opened Mar 4, 2026 by asjadjawed Closed Apr 15, 2026

Summary

Deny rules for skills in settings.local.json (or settings.json) are not enforced when a skill is invoked directly by the user as a slash command.

Steps to Reproduce

  1. Add a skill to the deny list in .claude/settings.local.json:

``json
{
"permissions": {
"deny": ["Skill(research_codebase)"]
}
}
``

  1. Type /research_codebase as a slash command in a Claude Code session.
  2. Observe that Claude executes the skill instructions despite the deny rule.

Expected Behavior

Claude should decline to execute the skill, consistent with how the deny rule behaves when the Skill tool is called programmatically.

Actual Behavior

When invoked as a slash command, the skill prompt is expanded and injected into the conversation context before the permission check fires. Claude then follows the injected instructions, bypassing the deny rule entirely.

When Claude itself calls Skill(research_codebase) via the tool, the deny rule correctly blocks execution with: Skill execution blocked by permission rules.

Environment

  • Platform: macOS (darwin 25.3.0)
  • Shell: zsh

Suggested Fix

Slash command expansion should be gated against the deny list before the skill prompt is injected into the conversation.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗