Claude Agent SDK Permissions: An AI Agent With Shell Access Is a Loaded Gun. Permissions Are the Safety.
Last Updated on June 18, 2026 by Editorial Team
Author(s): Rick Hightower
Originally published on Towards AI.
Most developers grant their Claude agent every tool with a cheerful one-line list and move on. Here are the four controls that actually decide what it can do, and the order they fire in.
You granted your agent shell access with a one-line list and hoped for the best. The first time it runs against something real, hope is an incident report waiting to happen. An AI agent with shell access is dangerous by default, and the safety is not one switch but a four-layer pipeline. Once you know the order the layers fire in, every surprising agent decision becomes explainable and every dangerous one becomes preventable.

After the introduction, the article explains that Claude Agent SDK permissions work as an ordered evaluation pipeline rather than a single on/off setting: hooks run first, deny rules block tool calls absolutely, permission mode sets the default posture for anything not yet decided, allow rules can pre-approve matches, and finally the canUseTool callback (or dontAsk mode) either enables a human-backed verdict or denies leftover requests. It covers how deny rules override everything, why allow lists alone can’t guarantee safety (especially when bypassPermissions is enabled), and how to use disallowed_tools for “never” constraints. The post also details the major permission modes (default, acceptEdits, dontAsk, bypassPermissions, plan, plus TypeScript’s auto pattern), highlights a subagent inheritance trap where bypassPermissions can silently propagate, and shows how canUseTool enables interactive approval with the ability to deny with an explanatory message or allow while modifying the requested input (e.g., redirecting file paths into a sandbox). Finally, it warns about the sandbox escape hatch via allowUnsandboxedCommands, recommends concrete hardening habits (audit bypass usage, scope shell rules, use reasons in deny messages, and check delegated subagents), and concludes that agent safety is achieved by understanding layer order and explicitly defining what “no” means before the agent ever asks.
Read the full blog for free on Medium.
Join thousands of data leaders on the AI newsletter. Join over 80,000 subscribers and keep up to date with the latest developments in AI. From research to projects and ideas. If you are building an AI startup, an AI-related product, or a service, we invite you to consider becoming a sponsor.
Published via Towards AI
Towards AI Academy
We Build Enterprise-Grade AI. We'll Teach You to Master It Too.
15 engineers. 100,000+ students. Towards AI Academy teaches what actually survives production.
Start free — no commitment:
→ 6-Day Agentic AI Engineering Email Guide — one practical lesson per day
→ Agents Architecture Cheatsheet — 3 years of architecture decisions in 6 pages
Our courses:
→ AI Engineering Certification — 90+ lessons from project selection to deployed product. The most comprehensive practical LLM course out there.
→ Agent Engineering Course — Hands on with production agent architectures, memory, routing, and eval frameworks — built from real enterprise engagements.
→ AI for Work — Understand, evaluate, and apply AI for complex work tasks.
Note: Article content contains the views of the contributing authors and not Towards AI.