[DOCS] REPL and Workflow sandbox protections are undocumented

Resolved 💬 3 comments Opened May 21, 2026 by coygeek Closed May 23, 2026

Documentation Type

Missing documentation (feature not documented)

Documentation Location

https://code.claude.com/docs/en/tools-reference

Section/Topic

Built-in tools list and sandbox/security coverage for the Workflow tool and REPL execution path

Current Documentation

The tools reference currently says:

Claude Code has access to a set of built-in tools that help it understand and modify your codebase. The tool names are the exact strings you use in permission rules, subagent tool lists, and hook matchers. To add custom tools, connect an MCP server. To extend Claude with reusable prompt-based workflows, write a skill, which runs through the existing Skill tool rather than adding a new tool entry.

The built-in tools table then lists entries such as Agent, AskUserQuestion, Bash, Edit, Monitor, Skill, WebFetch, and Write, but it does not include a Workflow entry.

The sandboxing page currently says:

The sandbox isolates Bash subprocesses. Other tools operate under different boundaries: Built-in file tools: Read, Edit, and Write use the permission system directly rather than running through the sandbox. Computer use: when Claude opens apps and controls your screen, it runs on your actual desktop rather than in an isolated environment.

The security page currently says:

* Sandboxed bash tool: Sandbox bash commands with filesystem and network isolation, reducing permission prompts while maintaining security. Enable with /sandbox to define boundaries where Claude Code can work autonomously

What's Wrong or Missing?

Changelog v2.1.147 says:

Added the Workflow tool for deterministic multi-agent orchestration. It is off by default — set CLAUDE_CODE_WORKFLOWS=1 to enable Hardened REPL and Workflow tool sandboxes against prototype-pollution and thenable-based escapes

The documentation does not explain this security-relevant feature area anywhere outside the changelog.

A. The Workflow tool is missing from the built-in tools reference

Users cannot discover from the docs that the tool exists, that it is off by default, or that CLAUDE_CODE_WORKFLOWS=1 enables it.

B. The docs do not describe the REPL or Workflow sandbox boundaries

The sandboxing and security pages explain the Bash sandbox, but they do not explain that REPL and Workflow execution also have sandboxes, what those sandboxes protect, or how they relate to the existing Bash sandbox and permission system.

That leaves the v2.1.147 hardening note without enough surrounding documentation for users or security reviewers to understand what changed.

Suggested Improvement

Add a Workflow entry to the tools reference and a short sandbox/security subsection that covers:

  1. How to enable the tool (CLAUDE_CODE_WORKFLOWS=1)
  2. Whether it is experimental or off by default
  3. What the REPL and Workflow sandboxes protect at a high level
  4. How those sandboxes relate to the documented Bash sandbox and normal permission rules
  5. A brief v2.1.147 note that these sandboxes were hardened against prototype-pollution and thenable-based escape paths, without needing exploit details

Impact

Medium - Makes feature difficult to understand

Additional Context

Affected Pages:

| Page | Line(s) | Context |
|------|---------|---------|
| https://code.claude.com/docs/en/tools-reference | 9-54 | Built-in tools overview and table omit Workflow entirely |
| https://code.claude.com/docs/en/sandboxing | 341-346 | “What sandboxing does not cover” documents Bash/file/computer-use boundaries only |
| https://code.claude.com/docs/en/security | 23-30 | Built-in protections mention only the sandboxed Bash tool |
| https://code.claude.com/docs/en/changelog | 13-18 | v2.1.147 adds Workflow and notes hardened REPL/Workflow sandboxes |

Total scope: 4 pages affected

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗