[BUG] `disallowedTools: [Write, Edit]` trivially bypassed via Bash tool — agents use sed/awk/redirects to modify files

Resolved 💬 6 comments Opened Mar 6, 2026 by Mationetap Closed May 1, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When an agent has disallowedTools: [Write, Edit] in its frontmatter, the agent can still modify any file using the Bash tool with sed -i, awk, echo >, tee, cat >, etc. The disallowedTools enforcement only blocks the named tool functions, not equivalent file-modifying Bash operations.

This undermines the orchestrator pattern where a conductor agent should ONLY coordinate and NEVER modify code directly.

What Should Happen?

If Write and Edit are in disallowedTools, the agent should not be able to modify files through any means. Options (in order of preference):

  1. Detect and block file-modifying Bash patterns when Write/Edit are disallowed
  2. Add a readOnlyFilesystem: true frontmatter field that enforces read-only at the OS/sandbox level
  3. At minimum, document this limitation so users know disallowedTools is not a security boundary

Error Messages/Logs

No error. The file modification via Bash succeeds silently.

Steps to Reproduce

  1. Create an agent ~/.claude/agents/readonly-test.md:

```yaml
---
name: readonly-test
description: Read-only test agent
tools:

  • Read
  • Bash
  • Grep
  • Glob

disallowedTools:

  • Write
  • Edit
  • NotebookEdit

---
You are a read-only analyst. You must NEVER modify project files.
Only analyze and report.
```

  1. From a normal session, delegate to this agent:

``
Delegate to readonly-test: "In the file /tmp/test.txt, replace 'hello' with 'goodbye'"
``

  1. The agent will use:

``bash
sed -i 's/hello/goodbye/' /tmp/test.txt
`
The file is modified — despite Write/Edit being in
disallowedTools`.

Claude Model

Opus

Is this a regression?

No, this never worked

Last Working Version

_No response_

Claude Code Version

2.1.69 (Claude Code)

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

Windows Terminal

Additional Information

Real-world example: My conductor agent has disallowedTools: [Write, Edit, NotebookEdit] and a system prompt rule: "NEVER write code — orchestration only." During a real task, it bypassed this and ran:

sed -i '/date-picker-block/d' app/Orchid/Screens/OrderScreen.php
echo '$mockData = [...]' >> app/Services/RatingService.php

This modified PHP source files directly, circumventing the entire quality gate pipeline (code review, security audit) that was designed to review all code changes.

Suggested implementation:

// In Bash tool executor, before running command:
if (disallowedTools.includes('Write') || disallowedTools.includes('Edit')) {
  const modifyPatterns = [
    /\bsed\s+-i/,           // sed in-place
    /\bawk\s+-i\s+inplace/, // awk in-place
    /\bperl\s+-[ip]/,       // perl in-place
    /[^|]>\s*\S/,           // redirect to file (not pipe)
    />>s*\S/,               // append to file
    /\btee\s+\S/,           // tee to file
  ];
  if (modifyPatterns.some(p => p.test(command))) {
    return { error: "File modification via Bash blocked: Write/Edit are disallowed for this agent" };
  }
}

Prompt-level workaround: I added explicit Bash prohibitions to the agent prompt: "NO sed -i, NO awk, NO echo >, NO tee, NO heredoc redirections — ANY file modification via Bash is code writing." This helps but relies on model compliance, not enforcement.

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗