Sub-agents can escalate permission mode beyond parent session (default → auto)
Summary
The Agent tool allows the model to specify "mode":"auto" when spawning sub-agents, even when the parent session is running in "default" permission mode. This effectively bypasses the user's configured allow/deny/ask permission rules for the sub-agent's entire lifetime.
Reproduction
- Run Claude Code with permission mode set to
default - Configure
settings.jsonwith explicit allow/deny/ask rules (e.g., do NOT allowgit grep) - Ask Claude to perform a task that triggers Agent spawning (e.g., "take on this task in a worktree")
- Observe: the model passes
"mode":"auto"to the Agent tool - The sub-agent freely runs commands like
git grepthat are not in the user's allow list
Observed Behavior
- Parent session:
"permissionMode":"default"(recorded in session JSONL) - Agent tool call included
"mode":"auto"in its input parameters - Sub-agent executed 293 tool calls over ~34 minutes without user approval
- Commands not in the user's allow list (e.g.,
git grep) ran without prompting - The sub-agent's tool calls still triggered
PreToolUsehooks, but permission checks were bypassed by auto mode
Expected Behavior
A sub-agent's effective permission mode should not exceed the parent session's permission mode. If the parent is in "default" mode, spawned agents should be constrained to "default" (or more restrictive). The model should not be able to self-escalate permissions by choosing "auto" mode for its own sub-agents.
Impact
- Permission bypass: User-configured allow/deny/ask rules are ignored for the sub-agent
- Reduced oversight: The user has no opportunity to approve/deny individual tool calls
- Trust model violation: Users in
"default"mode have an expectation of interactive approval for unconfigured commands. Auto mode silently removes that guarantee.
Mitigating Factors
- Auto mode did still block
git push(the agent reported "unable to push due to tool permission restrictions") - User-configured hooks (
PreToolUse) still fired on the sub-agent's tool calls - In this case the agent ran in an isolated worktree, limiting blast radius
Environment
- Claude Code version: 2.1.118
- Model: claude-opus-4-6
- Platform: macOS (Darwin 25.3.0)
- Permission mode:
default - Auto mode was NOT configured in any settings file
Session Evidence
Session ID: 59c8eba7-8f99-437a-bec4-1deb2ff5b31e
Line 1 — session permission mode:
{"type":"permission-mode","permissionMode":"default"}
Line 48 — Agent tool call with escalated mode:
{
"name": "Agent",
"input": {
"description": "Eliminate DB singleton refactor",
"mode": "auto",
"isolation": "worktree"
}
}
Task completion notification — 293 tool calls, no user approvals:
<usage>
<total_tokens>208710</total_tokens>
<tool_uses>293</tool_uses>
<duration_ms>2042442</duration_ms>
</usage>
Suggested Fix
Enforce that the Agent tool's mode parameter cannot exceed the parent session's permission level. If the parent is in "default" mode, reject or downgrade any sub-agent mode that is more permissive (e.g., auto, bypassPermissions, dontAsk).
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗