[BUG] `disallowedTools: [Write, Edit]` trivially bypassed via Bash tool — agents use sed/awk/redirects to modify files
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When an agent has disallowedTools: [Write, Edit] in its frontmatter, the agent can still modify any file using the Bash tool with sed -i, awk, echo >, tee, cat >, etc. The disallowedTools enforcement only blocks the named tool functions, not equivalent file-modifying Bash operations.
This undermines the orchestrator pattern where a conductor agent should ONLY coordinate and NEVER modify code directly.
What Should Happen?
If Write and Edit are in disallowedTools, the agent should not be able to modify files through any means. Options (in order of preference):
- Detect and block file-modifying Bash patterns when Write/Edit are disallowed
- Add a
readOnlyFilesystem: truefrontmatter field that enforces read-only at the OS/sandbox level - At minimum, document this limitation so users know
disallowedToolsis not a security boundary
Error Messages/Logs
No error. The file modification via Bash succeeds silently.
Steps to Reproduce
- Create an agent
~/.claude/agents/readonly-test.md:
```yaml
---
name: readonly-test
description: Read-only test agent
tools:
- Read
- Bash
- Grep
- Glob
disallowedTools:
- Write
- Edit
- NotebookEdit
---
You are a read-only analyst. You must NEVER modify project files.
Only analyze and report.
```
- From a normal session, delegate to this agent:
````
Delegate to readonly-test: "In the file /tmp/test.txt, replace 'hello' with 'goodbye'"
- The agent will use:
``bash`
sed -i 's/hello/goodbye/' /tmp/test.txt
disallowedTools`.
The file is modified — despite Write/Edit being in
Claude Model
Opus
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
2.1.69 (Claude Code)
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
Windows Terminal
Additional Information
Real-world example: My conductor agent has disallowedTools: [Write, Edit, NotebookEdit] and a system prompt rule: "NEVER write code — orchestration only." During a real task, it bypassed this and ran:
sed -i '/date-picker-block/d' app/Orchid/Screens/OrderScreen.php
echo '$mockData = [...]' >> app/Services/RatingService.php
This modified PHP source files directly, circumventing the entire quality gate pipeline (code review, security audit) that was designed to review all code changes.
Suggested implementation:
// In Bash tool executor, before running command:
if (disallowedTools.includes('Write') || disallowedTools.includes('Edit')) {
const modifyPatterns = [
/\bsed\s+-i/, // sed in-place
/\bawk\s+-i\s+inplace/, // awk in-place
/\bperl\s+-[ip]/, // perl in-place
/[^|]>\s*\S/, // redirect to file (not pipe)
/>>s*\S/, // append to file
/\btee\s+\S/, // tee to file
];
if (modifyPatterns.some(p => p.test(command))) {
return { error: "File modification via Bash blocked: Write/Edit are disallowed for this agent" };
}
}
Prompt-level workaround: I added explicit Bash prohibitions to the agent prompt: "NO sed -i, NO awk, NO echo >, NO tee, NO heredoc redirections — ANY file modification via Bash is code writing." This helps but relies on model compliance, not enforcement.
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗