[BUG] Bash command containing `python3` execute without permission prompt when no allow rules are configured and sandboxed
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
In sandboxed mode with no permission rules configured (no allow/ask/deny rules in any settings file), python3 myscript.py (which modifies/writes files to disk) executes without prompting the user for approval. The /permissions UI confirms no matching allow rule exists.
Settings state at time of occurrence:
- ~/.claude/settings.json: sandbox enabled, no permission rules
- .claude/settings.json: does not exist
- .claude/settings.local.json: does not exist
Secondary issue is No visibility into permission decisions.
There is no way for me to determine why a specific command was auto-allowed. The /permissions UI shows no matching rule, and the debug log simply omits the permission check rather than logging a reason for skipping it. Claude Code can neither reason about this nor help out in debugging its own permission model properly.
What Should Happen?
With no allow rules configured, any Bash command that is not read-only should prompt the user for approval before executing. The user should see an approval dialog and be able to accept or deny the command.
Additional investigation with Claude themself
Debug logging was enabled mid-session via /debug. The log shows that the permission system is consulted for make commands but completely skipped for python3 commands.
make verify — permission system consulted, user prompted:
13:17:35.616Z [DEBUG] Hook output does not start with {, treating as plain text
13:17:35.618Z [DEBUG] Permission suggestions for Bash: [
{
"toolName": "Bash",
"ruleContent": "make verify *",
"behavior": "allow",
"destination": "localSettings"
}
]
13:17:35.618Z [DEBUG] executePermissionRequestHooks called for tool: Bash
13:17:39.982Z [DEBUG] Aborting: tool=Bash isAbort=undefined hasFeedback=false isSubagent=false
python3 myscript.py — permission system skipped entirely, no prompt:
13:07:30.817Z [DEBUG] Hook output does not start with {, treating as plain text
13:07:30.821Z [DEBUG] Spawning shell without login (-l flag skipped)
13:07:31.064Z [DEBUG] Bash tool error (246ms): Shell command failed
No Permission suggestions for Bash and no executePermissionRequestHooks entry — the command goes straight from hook to shell spawn with no permission check.
Both commands were run in the same session with auto mode off (hasAutoModeOptIn=false), sandbox enabled, and no allow rules configured for either command.
Error Messages/Logs
Steps to Reproduce
- Ensure no permission rules exist in any settings file (~/.claude/settings.json, .claude/settings.json, .claude/settings.local.json)
- Ensure sandbox mode is enabled
- Start a Claude Code session
- Ask Claude to run a Python script that writes files to disk (e.g. python3 myscript.py which writes to disk)
- Observe that the command runs without any permission prompt
- Run /permissions to confirm no allow rule matches the command
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.1.161 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
iTerm2
Additional Information
> cat settings.json
{
"sandbox": {
"enabled": true
},
"voiceEnabled": false
}
No autoAllowBashIfSandboxed and it did prompt for when running Bash(make ...) but consistently just runs Bash(python3 ) commands without asking
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗