Custom slash commands bypass normal permission workflow for tool usage

Resolved 💬 2 comments Opened Aug 26, 2025 by diodiogod Closed Aug 26, 2025

Bug Report

Summary: Custom slash commands bypass Claude Code's normal permission system when executing tools like Bash, unlike regular tool usage which properly asks for user permission.

Expected Behavior:

  • All tool usage should follow the same permission model
  • Custom slash commands should ask for permission before executing tools
  • User should see the exact command and approve it before execution

Actual Behavior:

  • Custom slash commands execute tools (e.g., Bash with python3 scripts) directly without permission prompts
  • Regular tool usage correctly asks for permission
  • This creates inconsistent security behavior

Steps to Reproduce:

  1. Create a custom slash command that uses the Bash tool
  2. Have empty allowedTools arrays in .claude.json (no globally allowed tools)
  3. Execute the custom slash command
  4. Observe that it runs without permission prompt
  5. Compare with regular Bash tool usage which does ask for permission

Evidence:

  • Configuration shows "allowedTools": [] for all projects (no global permissions)
  • Custom slash commands execute immediately without permission workflow
  • Regular Bash tool usage follows proper permission model

Environment:

  • Claude Code CLI version: 1.0.92
  • Platform: Linux (WSL)

Security Impact:
This creates inconsistent security behavior where users might expect the same permission model across all Claude Code functionality. Custom slash commands should not have special permission bypass privileges.

Suggested Fix:
Custom slash commands should follow the same permission workflow as regular tool usage - show the command to be executed and wait for user approval before proceeding.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗