query() from claude-agent-sdk bypasses session auth, hits api.anthropic.com directly
Environment
- Claude Code version: 2.1.83
- claude-agent-sdk version: 0.2.77
- OS: macOS (Darwin 25.3.0)
Description
Two related issues that appear to be a regression in 2.1.83:
1. query() from @anthropic-ai/claude-agent-sdk hits api.anthropic.com directly instead of using session auth
When a skill invokes a Bash subprocess that calls query() from @anthropic-ai/claude-agent-sdk, the SDK is attempting to reach api.anthropic.com directly — triggering sandbox network permission prompts — instead of tunneling through Claude Code's session IPC.
This means:
- Users with sandbox enabled get repeated prompts to allow
api.anthropic.com - If no
ANTHROPIC_API_KEYis set (because the project relies on Claude Code session auth being free), the calls fail - If a key IS set, users get billed at standard API rates instead of using their Claude Code subscription
Expected behavior: query() should use session auth (IPC tunnel), not make direct HTTP calls to api.anthropic.com. This worked in previous versions.
2. AskUserQuestion not available despite being in skill allowed-tools
A skill definition with this frontmatter:
allowed-tools:
- Read
- Write
- Bash
- Glob
- Grep
- AskUserQuestion
...does not receive AskUserQuestion in its available tools. The model explicitly reports: "I looked for AskUserQuestion in my available tools and it's not there (not in the deferred tools list either)."
Reproduction
- Create a skill with
AskUserQuestioninallowed-tools - Have the skill invoke a Bash command that runs a Node.js process using
query()from@anthropic-ai/claude-agent-sdk - Observe: sandbox prompts for
api.anthropic.comaccess, andAskUserQuestionunavailable to the model
Impact
Projects that use query() for Claude model calls (relying on session auth being free) are effectively broken — all Claude subagent calls either fail or incur unexpected API charges.
🤖 Generated with Claude Code
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗