Permission heuristic false-positive: echo "---" triggers 'quoted characters in flag names'
Resolved 💬 2 comments Opened Mar 5, 2026 by fbartho Closed Mar 5, 2026
Description
When Claude constructs a compound ls command with echo "---" as a visual separator, the permission system incorrectly flags it with:
Command contains quoted characters in flag names
Reproduction
This command triggers a permission prompt:
ls /path/to/dir1/ && echo "---" && ls /path/to/dir2/ && echo "---" && ls /path/to/dir3/
The "---" in echo "---" is not a flag — it's a string argument to echo. The heuristic appears to pattern-match quoted dash sequences without considering the command context.
Two issues
- Heuristic false-positive: The "quoted characters in flag names" check should not flag quoted arguments to
echo/printf/similar output commands."---"as an argument toechois clearly a separator string, not an obfuscated flag.
Note: Claude was exploring the skills/agents/commands at the time. I did not tell it "list these directories". The prompt was "identify the tools that might be improved by <some new thing from the claude changelog>".
- Claude's command construction contributes: When asked to list multiple directories, Claude chains them into one compound command with decorative
echo "---"separators instead of making separatels/Glob calls. This compound construction is what introduces the pattern that triggers the false positive. If Claude used parallel tool calls (3 Glob or 3 Bash calls), no prompt would occur. The user had already grantedlspermission — the prompt was unexpected.
Expected behavior
echo "---"should not trigger a permission prompt- Ideally, Claude should prefer parallel tool calls over compound shell commands with decorative separators
Environment
- Claude Code CLI
- macOS (Darwin)
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗