[BUG] Custom agent tool restrictions not enforced - agents have full tool access regardless of configuration

Resolved 💬 3 comments Opened Aug 9, 2025 by abhikeshwale Closed Aug 19, 2025

Environment

  • Platform (select one):
  • [ ] Anthropic API
  • [ ] AWS Bedrock
  • [ ] Google Vertex AI
  • [ ] Other: <!-- specify -->
  • Claude CLI version: <!-- output of claude --version -->
  • Operating System: <!-- e.g. macOS 14.3, Windows 11, Ubuntu 22.04 -->
  • Terminal: <!-- e.g. iTerm2, Terminal App -->

Bug Description

<!-- A clear and concise description of the bug -->

Steps to Reproduce

  1. Create a custom agent at .claude/agents/jarvis.md with restricted tool access:

---
name: jarvis
description: Routes user requests to appropriate specialized agents
tools: Task
model: opus
---

  1. Invoke the agent using @agent-jarvis or through the Task tool
  2. The agent executes with full tool access instead of being restricted to only the Task tool

Expected Behavior

  • Agent configured with tools: Task should ONLY be able to use the Task tool
  • Attempting to use other tools (Read, Bash, Grep, etc.) should fail with a permission error
  • The agent should be forced to delegate work to other agents via the Task tool

Actual Behavior

  • Agent configured with tools: Task can use ALL tools (Read, Bash, Grep, Write, etc.)
  • The agent performs work directly instead of routing through specialized agents
  • Tool restrictions in the agent configuration are completely ignored

Additional Context

This breaks the principle of least privilege and defeats the purpose of having specialized agents with limited capabilities. For example, a routing/orchestrator agent (jarvis) that should only coordinate other agents is able to perform all
operations directly, violating its intended design as a pure orchestrator.

Configuration file example (.claude/agents/jarvis.md):
---
name: jarvis
description: Routes user requests to appropriate specialized agents
tools: Task # Should restrict to ONLY Task tool
model: opus
---

# Agent instructions stating it should only route, never do work directly

Observed behavior: Despite tools: Task configuration, the agent can execute Bash commands, read files, and perform all operations that should be restricted.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗