Name: Towards AI Legal Name: Towards AI, Inc. Description: Towards AI is the world's leading artificial intelligence (AI) and technology publication. Read by thought-leaders and decision-makers around the world. Phone Number: +1-650-246-9381 Email: pub@towardsai.net
228 Park Avenue South New York, NY 10003 United States
Website: Publisher: https://towardsai.net/#publisher Diversity Policy: https://towardsai.net/about Ethics Policy: https://towardsai.net/about Masthead: https://towardsai.net/about
Name: Towards AI Legal Name: Towards AI, Inc. Description: Towards AI is the world's leading artificial intelligence (AI) and technology publication. Founders: Roberto Iriondo, , Job Title: Co-founder and Advisor Works for: Towards AI, Inc. Follow Roberto: X, LinkedIn, GitHub, Google Scholar, Towards AI Profile, Medium, ML@CMU, FreeCodeCamp, Crunchbase, Bloomberg, Roberto Iriondo, Generative AI Lab, Generative AI Lab VeloxTrend Ultrarix Capital Partners Denis Piffaretti, Job Title: Co-founder Works for: Towards AI, Inc. Louie Peters, Job Title: Co-founder Works for: Towards AI, Inc. Louis-François Bouchard, Job Title: Co-founder Works for: Towards AI, Inc. Cover:
Towards AI Cover
Logo:
Towards AI Logo
Areas Served: Worldwide Alternate Name: Towards AI, Inc. Alternate Name: Towards AI Co. Alternate Name: towards ai Alternate Name: towardsai Alternate Name: towards.ai Alternate Name: tai Alternate Name: toward ai Alternate Name: toward.ai Alternate Name: Towards AI, Inc. Alternate Name: towardsai.net Alternate Name: pub.towardsai.net
5 stars – based on 497 reviews

Frequently Used, Contextual References

TODO: Remember to copy unique IDs whenever it needs used. i.e., URL: 304b2e42315e

Resources

Free: 6-day Agentic AI Engineering Email Guide.
Learnings from Towards AI's hands-on work with real clients.
Claude Agent SDK Permissions: An AI Agent With Shell Access Is a Loaded Gun. Permissions Are the Safety.
Latest   Machine Learning

Claude Agent SDK Permissions: An AI Agent With Shell Access Is a Loaded Gun. Permissions Are the Safety.

Last Updated on June 18, 2026 by Editorial Team

Author(s): Rick Hightower

Originally published on Towards AI.

Most developers grant their Claude agent every tool with a cheerful one-line list and move on. Here are the four controls that actually decide what it can do, and the order they fire in.

You granted your agent shell access with a one-line list and hoped for the best. The first time it runs against something real, hope is an incident report waiting to happen. An AI agent with shell access is dangerous by default, and the safety is not one switch but a four-layer pipeline. Once you know the order the layers fire in, every surprising agent decision becomes explainable and every dangerous one becomes preventable.

Claude Agent SDK Permissions: An AI Agent With Shell Access Is a Loaded Gun. Permissions Are the Safety.

Claude Agent SDK Permissions

After the introduction, the article explains that Claude Agent SDK permissions work as an ordered evaluation pipeline rather than a single on/off setting: hooks run first, deny rules block tool calls absolutely, permission mode sets the default posture for anything not yet decided, allow rules can pre-approve matches, and finally the canUseTool callback (or dontAsk mode) either enables a human-backed verdict or denies leftover requests. It covers how deny rules override everything, why allow lists alone can’t guarantee safety (especially when bypassPermissions is enabled), and how to use disallowed_tools for “never” constraints. The post also details the major permission modes (default, acceptEdits, dontAsk, bypassPermissions, plan, plus TypeScript’s auto pattern), highlights a subagent inheritance trap where bypassPermissions can silently propagate, and shows how canUseTool enables interactive approval with the ability to deny with an explanatory message or allow while modifying the requested input (e.g., redirecting file paths into a sandbox). Finally, it warns about the sandbox escape hatch via allowUnsandboxedCommands, recommends concrete hardening habits (audit bypass usage, scope shell rules, use reasons in deny messages, and check delegated subagents), and concludes that agent safety is achieved by understanding layer order and explicitly defining what “no” means before the agent ever asks.

Read the full blog for free on Medium.

Join thousands of data leaders on the AI newsletter. Join over 80,000 subscribers and keep up to date with the latest developments in AI. From research to projects and ideas. If you are building an AI startup, an AI-related product, or a service, we invite you to consider becoming a sponsor.

Published via Towards AI


Towards AI Academy

We Build Enterprise-Grade AI. We'll Teach You to Master It Too.

15 engineers. 100,000+ students. Towards AI Academy teaches what actually survives production.

Start free — no commitment:

6-Day Agentic AI Engineering Email Guide — one practical lesson per day

Agents Architecture Cheatsheet — 3 years of architecture decisions in 6 pages

Our courses:

AI Engineering Certification — 90+ lessons from project selection to deployed product. The most comprehensive practical LLM course out there.

Agent Engineering Course — Hands on with production agent architectures, memory, routing, and eval frameworks — built from real enterprise engagements.

AI for Work — Understand, evaluate, and apply AI for complex work tasks.

Note: Article content contains the views of the contributing authors and not Towards AI.