Skip to content

[BUG] Need better way to restrict subagent tool use #4801

@ukarlsson

Description

@ukarlsson

Environment

  • Platform (select one):
    • Anthropic API
    • AWS Bedrock
    • Google Vertex AI
    • Other:
  • Claude CLI version: 1.0.63 (Claude Code)
  • Operating System: Mac OS
  • Terminal: iterm2

Bug Description

Trying to use subagents as verification engineers that run tests, or just a compile+analyze issue subagent that should run compiler and then read the file to understand the issue.

The subagent needs to run the compiler, but it seems totally impossible to stop it from using other tools. When it does not have write, it will try to use sed/cat to fix compile issues itself.

Steps to Reproduce

  1. Run subagent to compile with gradle with CLEAR instructions to not run any other commands
  2. It will start trying to fix the compile issue itself

Expected Behavior

I need to be able to RESTRICT the tool use to say Bash(gradlew:*) to only run gradle commands. The current way of giving unrestricted access to Bash for running the compiler does not work since it go on and do its own things totally ignoring instructions. We need hard limits by tool permissions.

Actual Behavior

It runs whatever commands it wants.

Additional Context

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:securityarea:toolsautocloseIssue will be closed automaticallybugSomething isn't workinghas reproHas detailed reproduction stepsplatform:macosIssue specifically occurs on macOS

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions