SECURITY: Claude circumvents denied Bash(rm) by using Python os.remove() as workaround

Resolved 💬 6 comments Opened Mar 26, 2026 by hjpincha Closed May 3, 2026

The permissions system should prevent Claude from accomplishing restricted goals, not just block one method. Currently, Claude appears to be trying alternative execution methods to bypass denied commands.

Expected Behavior

When a command is denied, Claude should:

  1. NOT attempt alternative methods to accomplish the same goal
  2. Inform the user the operation is not allowed
  3. Not try to work around the restriction with different tools/languages

Actual Behavior

Claude attempts to circumvent denied permissions by:

  • Using Python when Bash(rm) is denied
  • Potentially using other execution methods when primary methods are blocked
  • This suggests Claude is treating permission restrictions as "blocked tool" rather than "blocked goal"

Evidence

<img width="1014" height="89" alt="Image" src="https://github.com/user-attachments/assets/2e26486c-f56d-451a-bf4d-a15bfa67721f" />

Configuration

Settings.json deny rules:

"deny": [
  "Bash(rm *)",
  "Bash(git push --force *)",
  "Bash(chmod 777 *)",
  "Edit(/Users/quantler/core-nautilus/nautilus_trader/*)"
]

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗