Analyzed: March 31, 2026 leak snapshot
Shell tools are the highest-risk capability in the public build. Their behavior is constrained by permission mode, rule matching, dangerous-pattern classification, and optional sandbox adapters.

Shell tools in this snapshot

The registry exposes:
  • BashTool on all platforms
  • PowerShellTool when isPowerShellToolEnabled() returns true
  • REPLTool as an abstraction layer in REPL mode
Relevant code lives in:
  • src/tools/BashTool/
  • src/tools/PowerShellTool/
  • src/utils/permissions/
  • src/utils/sandbox/sandbox-adapter.ts

Approval pipeline

Shell requests flow through the shared permission engine and then tool-specific safety logic. The permission stack considers:
  • current permission mode
  • allow, deny, and ask rules
  • command-prefix matching
  • hook results
  • classifier decisions
  • sandbox overrides
  • working-directory restrictions
The central implementation is src/utils/permissions/permissions.ts.

Dangerous rule detection

src/utils/permissions/permissionSetup.ts contains explicit detection for dangerous shell approvals. For Bash, dangerous allow rules include:
  • blanket Bash(*)
  • interpreter prefixes such as python:*
  • wildcard patterns that allow arbitrary code execution
For PowerShell, the code adds PowerShell-specific high-risk patterns such as:
  • Invoke-Expression
  • Invoke-Command
  • nested pwsh or powershell
  • Start-Process
  • event and session registration cmdlets
  • .NET escape hatches like Add-Type
These rules matter most in auto mode because broad pre-approval would bypass classifier review.

Sandbox model

Claude Code can route shell execution through a sandbox adapter rather than always using the host shell directly. The sandbox abstraction sits in src/utils/sandbox/sandbox-adapter.ts, while tool-specific behavior lives under the Bash and PowerShell tool directories. The codebase also tracks whether a command is being run outside the sandbox as part of approval reasoning.

Output and streaming

Shell execution is stream-aware. The transcript system treats high-frequency shell progress as ephemeral UI state rather than durable conversation content. src/utils/sessionStorage.ts explicitly marks these as ephemeral:
  • bash_progress
  • powershell_progress
This avoids polluting resumed transcripts with every shell-output update.

REPL mode

When REPL mode is enabled, the registry can hide the raw primitive tools and expose REPLTool instead. That changes the model-visible tool surface without removing the underlying capability. This is a prompt-shaping and execution-shaping decision, not a separate shell subsystem.

PowerShell parity

PowerShell is not implemented as a thin alias of Bash. It has:
  • its own tool module
  • its own permission helpers and UI components
  • PowerShell-specific dangerous-pattern checks
That matters on Windows because the approval model understands PowerShell syntax rather than pretending every command is POSIX-like.