[BUG] Custom agent tool restrictions not enforced - agents have full tool access regardless of configuration
Environment
- Platform (select one):
- [ ] Anthropic API
- [ ] AWS Bedrock
- [ ] Google Vertex AI
- [ ] Other: <!-- specify -->
- Claude CLI version: <!-- output of
claude --version--> - Operating System: <!-- e.g. macOS 14.3, Windows 11, Ubuntu 22.04 -->
- Terminal: <!-- e.g. iTerm2, Terminal App -->
Bug Description
<!-- A clear and concise description of the bug -->
Steps to Reproduce
- Create a custom agent at .claude/agents/jarvis.md with restricted tool access:
---
name: jarvis
description: Routes user requests to appropriate specialized agents
tools: Task
model: opus
---
- Invoke the agent using @agent-jarvis or through the Task tool
- The agent executes with full tool access instead of being restricted to only the Task tool
Expected Behavior
- Agent configured with tools: Task should ONLY be able to use the Task tool
- Attempting to use other tools (Read, Bash, Grep, etc.) should fail with a permission error
- The agent should be forced to delegate work to other agents via the Task tool
Actual Behavior
- Agent configured with tools: Task can use ALL tools (Read, Bash, Grep, Write, etc.)
- The agent performs work directly instead of routing through specialized agents
- Tool restrictions in the agent configuration are completely ignored
Additional Context
This breaks the principle of least privilege and defeats the purpose of having specialized agents with limited capabilities. For example, a routing/orchestrator agent (jarvis) that should only coordinate other agents is able to perform all
operations directly, violating its intended design as a pure orchestrator.
Configuration file example (.claude/agents/jarvis.md):
---
name: jarvis
description: Routes user requests to appropriate specialized agents
tools: Task # Should restrict to ONLY Task tool
model: opus
---
# Agent instructions stating it should only route, never do work directly
Observed behavior: Despite tools: Task configuration, the agent can execute Bash commands, read files, and perform all operations that should be restricted.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗