[BUG] deny: ["Skill"] permission setting does not block slash command skill invocation
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When Skill is added to the deny list in .claude/settings.local.json, slash commands that map to skills (e.g., /code_review_v4) still expand and execute the skill content, bypassing the permission setting.
The Skill tool call is correctly blocked when the assistant explicitly invokes it (the user is prompted and can deny). However, slash commands auto-expand skill content via <command-name> tag injection before any permission check occurs, so the skill runs regardless of the deny setting.
What Should Happen?
When Skill is in the deny list, slash commands that map to skills should be blocked (or the user should be prompted for approval), consistent with how tool-level permission checks work for other tools.
Error Messages/Logs
(No error message — the skill silently executes despite the deny rule)
Steps to Reproduce
- Add
"Skill"to thedenylist in.claude/settings.local.json:
``json``
{
"permissions": {
"deny": ["Skill"]
}
}
- Type a slash command that maps to a skill (e.g.,
/code_review_v4) - The skill content is expanded and begins executing automatically — no permission prompt appears
Claude Model
Not sure / Multiple models
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.89
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
zsh
Additional Information
The deny rule does take effect for explicit Skill tool calls made by the assistant during a session — those correctly trigger a user prompt. Only the initial slash command auto-expansion bypasses the check.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗