PowerShell tool: non-overridable "Remove-Item on system path" guard over-blocks legitimate commands (AST target mis-attribution)

Open 💬 0 comments Opened Jul 2, 2026 by randomnimbus

Summary

The PowerShell tool blocks legitimate commands with:

Remove-Item on system path '<x>' is blocked. This path is protected from removal.

...when the command contains a Remove-Item and an unrelated token that the
static analyzer mis-attributes as the delete target. The extraction appears to pull
a token from elsewhere in the command line rather than from Remove-Item's own
arguments.

Confirmed mis-attributed shapes

  1. A later -replace '\s','' operand → target parsed as ''\s',''
  2. A co-occurring REST-URL path segment → target parsed as '/promote'
  3. A Join-Path-derived variable pointing at a dangling junction → target parsed as '/'

In each case the actual Remove-Item target is a legitimate, non-system path; the
blocked token comes from an unrelated part of the command.

Impact

The deny is classifierApprovable: false, so it is non-overridable — no
permissions.allow rule and no CLAUDE_CODE_DISABLE_* environment variable bypasses
it. This blocks otherwise-valid diagnostic and file-management commands.

Requested fix

  • Scope the Remove-Item target extraction to that command element's own arguments

(terminate at ; / |), so tokens from later commands or unrelated operands are
not captured; and/or

  • Make the guard classifierApprovable so a reviewed command can proceed.

Workaround

Delete via .NET ([System.IO.File]::Delete / [System.IO.Directory]::Delete) or the
Bash rm tool — the guard keys on the literal cmdlet name remove-item.

Environment

  • Claude Code 2.1.198
  • Windows, PowerShell tool

View original on GitHub ↗