[DOCS] PowerShell tool docs omit dangerous-command safety behavior
Documentation Type
Missing documentation (feature not documented)
Documentation Location
https://code.claude.com/docs/en/tools-reference#powershell-tool
Section/Topic
PowerShell tool preview documentation, especially safety behavior for dangerous or destructive PowerShell commands
Current Documentation
The PowerShell tool docs currently say:
On Windows, Claude Code can run PowerShell commands natively instead of routing through Git Bash. This is an opt-in preview. The PowerShell tool has the following known limitations during the preview: Auto mode does not work with the PowerShell tool yet PowerShell profiles are not loaded Sandboxing is not supported Only supported on native Windows, not WSL * Git Bash is still required to start Claude Code
Related security guidance currently says:
Command injection detection: Suspicious bash commands require manual approval even if previously allowlisted Fail-closed matching: Unmatched commands default to requiring manual approval
What's Wrong or Missing?
Changelog v2.1.85 says:
Improved PowerShell dangerous command detection
The current docs explain how to enable the PowerShell tool and list its preview limitations, but they do not explain that PowerShell commands are also subject to dangerous-command detection and elevated approval behavior.
That leaves three gaps:
A. The PowerShell tool page omits PowerShell-specific safety behavior
Windows users can learn how to enable the preview, but not what safety behavior to expect when Claude proposes a destructive PowerShell command.
B. The security page reads as Bash-only
Because the current wording says "Suspicious bash commands," readers can reasonably conclude that this protection applies only to Bash and not to the PowerShell tool.
C. The preview's guardrails are underspecified
Users evaluating whether to adopt the PowerShell preview should be able to tell that dangerous PowerShell commands may receive extra scrutiny and manual approval rather than being treated like ordinary shell execution.
Suggested Improvement
Add a short safety note to the PowerShell tool section, and align the security page wording with it.
For example, the PowerShell tool page could add a note such as:
Dangerous or destructive PowerShell commands can still trigger additional safety checks and manual approval when the PowerShell tool is enabled.
The docs should also clarify:
- that PowerShell command execution does not bypass Claude Code's dangerous-command protections,
- that users may still see manual approval for destructive PowerShell actions even when the tool is enabled, and
- that the general security guidance applies to PowerShell as well as Bash where relevant.
Impact
Medium - Makes feature difficult to understand
Additional Context
Affected Pages:
| Page | Context |
|------|---------|
| https://code.claude.com/docs/en/tools-reference#powershell-tool | Primary PowerShell tool documentation; should explain dangerous-command/manual-approval behavior for the Windows preview |
| https://code.claude.com/docs/en/security | General safeguards page currently phrases this protection as Bash-only and should clarify how it applies when the PowerShell tool is enabled |
Total scope: 2 pages affected
Source: Changelog v2.1.85
Exact changelog entry:
Improved PowerShell dangerous command detection
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗