[DOCS] REPL and Workflow sandbox protections are undocumented
Documentation Type
Missing documentation (feature not documented)
Documentation Location
https://code.claude.com/docs/en/tools-reference
Section/Topic
Built-in tools list and sandbox/security coverage for the Workflow tool and REPL execution path
Current Documentation
The tools reference currently says:
Claude Code has access to a set of built-in tools that help it understand and modify your codebase. The tool names are the exact strings you use in permission rules, subagent tool lists, and hook matchers. To add custom tools, connect an MCP server. To extend Claude with reusable prompt-based workflows, write a skill, which runs through the existing Skill tool rather than adding a new tool entry.
The built-in tools table then lists entries such as Agent, AskUserQuestion, Bash, Edit, Monitor, Skill, WebFetch, and Write, but it does not include a Workflow entry.
The sandboxing page currently says:
The sandbox isolates Bash subprocesses. Other tools operate under different boundaries: Built-in file tools: Read, Edit, and Write use the permission system directly rather than running through the sandbox. Computer use: when Claude opens apps and controls your screen, it runs on your actual desktop rather than in an isolated environment.
The security page currently says:
* Sandboxed bash tool: Sandbox bash commands with filesystem and network isolation, reducing permission prompts while maintaining security. Enable with /sandbox to define boundaries where Claude Code can work autonomously
What's Wrong or Missing?
Changelog v2.1.147 says:
Added theWorkflowtool for deterministic multi-agent orchestration. It is off by default — setCLAUDE_CODE_WORKFLOWS=1to enable Hardened REPL and Workflow tool sandboxes against prototype-pollution and thenable-based escapes
The documentation does not explain this security-relevant feature area anywhere outside the changelog.
A. The Workflow tool is missing from the built-in tools reference
Users cannot discover from the docs that the tool exists, that it is off by default, or that CLAUDE_CODE_WORKFLOWS=1 enables it.
B. The docs do not describe the REPL or Workflow sandbox boundaries
The sandboxing and security pages explain the Bash sandbox, but they do not explain that REPL and Workflow execution also have sandboxes, what those sandboxes protect, or how they relate to the existing Bash sandbox and permission system.
That leaves the v2.1.147 hardening note without enough surrounding documentation for users or security reviewers to understand what changed.
Suggested Improvement
Add a Workflow entry to the tools reference and a short sandbox/security subsection that covers:
- How to enable the tool (
CLAUDE_CODE_WORKFLOWS=1) - Whether it is experimental or off by default
- What the REPL and
Workflowsandboxes protect at a high level - How those sandboxes relate to the documented Bash sandbox and normal permission rules
- A brief v2.1.147 note that these sandboxes were hardened against prototype-pollution and thenable-based escape paths, without needing exploit details
Impact
Medium - Makes feature difficult to understand
Additional Context
Affected Pages:
| Page | Line(s) | Context |
|------|---------|---------|
| https://code.claude.com/docs/en/tools-reference | 9-54 | Built-in tools overview and table omit Workflow entirely |
| https://code.claude.com/docs/en/sandboxing | 341-346 | “What sandboxing does not cover” documents Bash/file/computer-use boundaries only |
| https://code.claude.com/docs/en/security | 23-30 | Built-in protections mention only the sandboxed Bash tool |
| https://code.claude.com/docs/en/changelog | 13-18 | v2.1.147 adds Workflow and notes hardened REPL/Workflow sandboxes |
Total scope: 4 pages affected
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗