YAML allowed-tools

Parses without error; does not restrict. Use agent definitions.

The allowed-tools field in skill frontmatter does not enforce tool restrictions at runtime; use agent tools: definitions instead.

How It Works

Skill definitions accept an allowed-tools field in YAML frontmatter, supporting both list and comma-delimited formats:

allowed-tools:
  - Read
  - Grep
  - Bash

allowed-tools: Read,Grep,Bash

The field parses without error. However, tests revealed it does not restrict which tools a skill can invoke.

What the Test Found

Three test attempts ran in January 2026. Tests 1 and 2 declared allowed-tools in skill frontmatter using both list and comma formats; Bash remained callable despite no restriction declared. Both returned INCONCLUSIVE—the lists parsed, but tool access was not constrained.

Test 3 applied a different mechanism: defining a custom agent with an explicit tools: field. That agent successfully blocked Bash. The result: PASS.

Why It Matters

Tool restrictions are a sandboxing primitive. If you need to limit a skill's access, do not rely on allowed-tools in the skill frontmatter. Instead, assign the skill to a custom agent and define the tools: list in the agent definition. The agent boundary enforces; the skill field does not (or requires additional undocumented configuration).

Caveats

Status is INCONCLUSIVE. The allowed-tools field may serve an advisory purpose—affecting permission prompts rather than hard enforcement—or may require specific runtime conditions not tested. Further investigation required to determine whether it modulates permission request scope or has no effect at all.

References

Test date: 2026-01-07
Source: /docs/experiments/claude-features/2.1.0/tests/08-yaml-allowed-tools/TEST-RESULTS.md

Evidence & receipt

commitd094de9 ↗

◇ ed25519 receipt

idprimitive_5267288c72bf96f6b2e39d10

alged25519

pubkey9b87705613b1e2fd064d57fa75a6b679d2856ceafad6b1daa8f982493871b6dd

sig

0d9c98b1f7e93167f6197102bc5607d391dd87d68828ad52b0f9b7970fe368207d3a0a270b86fed51095b29db4bdb95673dc4f2d39136a1359957a61b23ff801

Signed with an ed25519 key held off the repo. Anyone can verify against the published public key; nobody without the secret key can forge it. Click verify: it recomputes the signature in your browser. The signature proves integrity and authorship of this exact content — not a third-party timestamp or that the underlying claim is objectively true. signedAt is when the @f3/attest pipeline ran, not when the work happened; the evidence refs carry the source dates.

Connected

instance-of Sandbox / Capability Class
introduces (in) Claude Code 2.1.0 (Night Zero) Release
verifies (in) YAML allowed-tools — runtime test Test
emerges-from (in) The real sandbox boundary is the agent definition, not the skill Finding

YAML allowed-tools

Primitive

Kind	Primitive
Introduced	Claude Code 2.1.0
Class	Sandbox / Capability
Epistemic	inconclusive · runtime-test
Evidence	1 ref
Receipt	ed25519 · verifiable

Hands-on runtime test · Night Zero, 2026-01-07

Cite this page

Hunter, R. "YAML allowed-tools." The Runtime Atlas. Content-addressed entity primitive_5267288c72bf96f6b2e39d10, ed25519-signed (integrity, not third-party timestamp). https://ryanhunter.io/atlas/e/yaml-allowed-tools

@misc{atlas-yaml-allowed-tools,
  title  = {YAML allowed-tools},
  author = {Hunter, Ryan},
  note   = {The Runtime Atlas; entity primitive_5267288c72bf96f6b2e39d10; ed25519-signed for integrity},
  url    = {https://ryanhunter.io/atlas/e/yaml-allowed-tools}
}