allowed-tools in SKILL.md frontmatter does not restrict tool access
Description
When a skill specifies allowed-tools in its YAML frontmatter, Claude still has unrestricted access to all tools. The allowed-tools field appears to be parsed but not enforced.
Reproduction
- Create a skill with restricted tools:
---
name: orchestrator
description: Pure router skill that classifies requests and invokes other skills.
allowed-tools: Read, Write, Glob, Skill
---
- The SKILL.md body explicitly instructs:
- "NEVER spawn agents or subagents"
- "NEVER use Agent, Explore, Grep, Bash, Edit"
- "Your entire job is exactly 3 actions: Read state, Classify, Invoke Skill tool"
- Invoke the skill:
/orchestrator check if this skill is well integrated
- Expected: Claude only uses Read, Write, Glob, and Skill tools. Routes to
/validationskill.
- Actual: Claude spawns an
Exploreagent, reads multiple files, and performs a full audit directly — completely ignoring both theallowed-toolsrestriction and the prose instructions.
Tested multiple times
- Added
allowed-tools: Read, Write, Glob, Skillto frontmatter → no effect - Added 7 explicit "NEVER" rules in the SKILL.md body → ignored
- Added "VIOLATION OF ANY RULE IS A FAILURE" framing → ignored
- Tested across fresh sessions (
/clear+ re-invoke) → same behavior
Impact
This makes it impossible to build "pure router" or "classifier-only" skills that delegate work to other skills without doing the work themselves. The allowed-tools field is the only mechanism to structurally prevent a skill from accessing tools it shouldn't use, but it has no effect.
Expected behavior
When allowed-tools is specified in SKILL.md frontmatter, Claude should be restricted to only those tools while the skill is active. Tool calls outside the allowed list should be blocked (similar to how MCP server tool access is scoped).
Environment
- Claude Code CLI (latest)
- macOS Darwin 25.2.0
- Model: claude-opus-4-6
---
🤖 Generated with Claude Code
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗