SECURITY: Claude circumvents denied Bash(rm) by using Python os.remove() as workaround
Resolved 💬 6 comments Opened Mar 26, 2026 by hjpincha Closed May 3, 2026
The permissions system should prevent Claude from accomplishing restricted goals, not just block one method. Currently, Claude appears to be trying alternative execution methods to bypass denied commands.
Expected Behavior
When a command is denied, Claude should:
- NOT attempt alternative methods to accomplish the same goal
- Inform the user the operation is not allowed
- Not try to work around the restriction with different tools/languages
Actual Behavior
Claude attempts to circumvent denied permissions by:
- Using Python when Bash(rm) is denied
- Potentially using other execution methods when primary methods are blocked
- This suggests Claude is treating permission restrictions as "blocked tool" rather than "blocked goal"
Evidence
<img width="1014" height="89" alt="Image" src="https://github.com/user-attachments/assets/2e26486c-f56d-451a-bf4d-a15bfa67721f" />
Configuration
Settings.json deny rules:
"deny": [
"Bash(rm *)",
"Bash(git push --force *)",
"Bash(chmod 777 *)",
"Edit(/Users/quantler/core-nautilus/nautilus_trader/*)"
]This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗