CLAUDE_CODE_SUBPROCESS_ENV_SCRUB should not override permission mode

Resolved 💬 3 comments Opened Apr 20, 2026 by renatodinizc Closed May 27, 2026

Summary

When CLAUDE_CODE_SUBPROCESS_ENV_SCRUB is set, Claude Code forces the permission mode back to default, even when --dangerously-skip-permissions is explicitly passed. This couples two orthogonal concerns.

Observed behavior

$ claude --dangerously-skip-permissions
⚠ Permission mode forced to default — CLAUDE_CODE_SUBPROCESS_ENV_SCRUB is set (allowed_non_write_users hardening). Declare allowedTools explicitly, or set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=0 to opt out.

Expected behavior

CLAUDE_CODE_SUBPROCESS_ENV_SCRUB should only control whether sensitive environment variables are scrubbed before being passed to subprocesses. It should not override the user's explicit permission mode selection.

These protect against different threat vectors:

  • Env scrubbing: prevents secrets (API keys, tokens) from leaking to subprocesses
  • Permission mode: controls whether tools require user approval before execution

Coupling them means users who want env scrubbing (reasonable security hygiene) are forced to also lose control over their permission model, with no way to opt into one without the other.

Suggested fix

Decouple the two behaviors:

  • CLAUDE_CODE_SUBPROCESS_ENV_SCRUB controls env var sanitization only
  • --dangerously-skip-permissions (or allowedTools) controls the permission model independently

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗