[BUG] deny: ["Skill"] permission setting does not block slash command skill invocation

Resolved 💬 2 comments Opened Apr 21, 2026 by hiyorineko Closed Apr 21, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When Skill is added to the deny list in .claude/settings.local.json, slash commands that map to skills (e.g., /code_review_v4) still expand and execute the skill content, bypassing the permission setting.

The Skill tool call is correctly blocked when the assistant explicitly invokes it (the user is prompted and can deny). However, slash commands auto-expand skill content via <command-name> tag injection before any permission check occurs, so the skill runs regardless of the deny setting.

What Should Happen?

When Skill is in the deny list, slash commands that map to skills should be blocked (or the user should be prompted for approval), consistent with how tool-level permission checks work for other tools.

Error Messages/Logs

(No error message — the skill silently executes despite the deny rule)

Steps to Reproduce

  1. Add "Skill" to the deny list in .claude/settings.local.json:

``json
{
"permissions": {
"deny": ["Skill"]
}
}
``

  1. Type a slash command that maps to a skill (e.g., /code_review_v4)
  2. The skill content is expanded and begins executing automatically — no permission prompt appears

Claude Model

Not sure / Multiple models

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.89

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

zsh

Additional Information

The deny rule does take effect for explicit Skill tool calls made by the assistant during a session — those correctly trigger a user prompt. Only the initial slash command auto-expansion bypasses the check.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗