Custom slash commands bypass normal permission workflow for tool usage
Resolved 💬 2 comments Opened Aug 26, 2025 by diodiogod Closed Aug 26, 2025
Bug Report
Summary: Custom slash commands bypass Claude Code's normal permission system when executing tools like Bash, unlike regular tool usage which properly asks for user permission.
Expected Behavior:
- All tool usage should follow the same permission model
- Custom slash commands should ask for permission before executing tools
- User should see the exact command and approve it before execution
Actual Behavior:
- Custom slash commands execute tools (e.g., Bash with python3 scripts) directly without permission prompts
- Regular tool usage correctly asks for permission
- This creates inconsistent security behavior
Steps to Reproduce:
- Create a custom slash command that uses the Bash tool
- Have empty
allowedToolsarrays in .claude.json (no globally allowed tools) - Execute the custom slash command
- Observe that it runs without permission prompt
- Compare with regular Bash tool usage which does ask for permission
Evidence:
- Configuration shows
"allowedTools": []for all projects (no global permissions) - Custom slash commands execute immediately without permission workflow
- Regular Bash tool usage follows proper permission model
Environment:
- Claude Code CLI version: 1.0.92
- Platform: Linux (WSL)
Security Impact:
This creates inconsistent security behavior where users might expect the same permission model across all Claude Code functionality. Custom slash commands should not have special permission bypass privileges.
Suggested Fix:
Custom slash commands should follow the same permission workflow as regular tool usage - show the command to be executed and wait for user approval before proceeding.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗