zhongwei/gh-glittercowboy-taches-cc-resources
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ccc65b3f07f345385b8c6407b4df11b139fe0b63
gh-glittercowboy-taches-cc-…/skills/create-slash-commands/references/tool-restrictions.md
Zhongwei Li ccc65b3f07 Initial commit
2025-11-29 18:28:37 +08:00

7.3 KiB
Raw Blame History

Tool Restrictions Reference

Official documentation on restricting tool access in slash commands.

Why Restrict Tools

Tool restrictions provide:

  • Security: Prevent accidental destructive operations
  • Focus: Limit scope for specialized commands
  • Safety: Ensure commands only perform intended operations

allowed-tools Field

Location: YAML frontmatter

Format: Array of tool names or patterns

Default: If omitted, all tools available

Basic Patterns

Array Format

---
description: My command
allowed-tools: [Read, Edit, Write]
---

Single Tool

---
description: Thinking command
allowed-tools: SequentialThinking
---

Bash Command Restrictions

Source: Official Claude Code documentation

Restrict bash commands to specific patterns using wildcards.

Git-Only Commands

---
description: Create a git commit
allowed-tools: Bash(git add:*), Bash(git status:*), Bash(git commit:*)
---

Allows:

  • git add <anything>
  • git status <anything>
  • git commit <anything>

Prevents:

  • rm -rf
  • curl <url>
  • Any non-git bash commands

NPM Script Restrictions

---
description: Run tests and lint
allowed-tools: Bash(npm test:*), Bash(npm run lint:*)
---

Allows:

  • npm test
  • npm test -- --watch
  • npm run lint
  • npm run lint:fix

Prevents:

  • npm install malicious-package
  • npm run deploy
  • Other npm commands

Multiple Bash Patterns

---
description: Development workflow
allowed-tools: Bash(git status:*), Bash(npm test:*), Bash(npm run build:*)
---

Combines multiple bash command patterns.

Common Tool Restriction Patterns

Pattern 1: Git Workflows

Use case: Commands that create commits, check status, etc.

---
description: Create a git commit
allowed-tools: Bash(git add:*), Bash(git status:*), Bash(git diff:*), Bash(git commit:*)
---

Current status: ! `git status`
Changes: ! `git diff HEAD`

Create a commit for these changes.

Security benefit: Cannot accidentally run destructive commands like rm -rf or curl malicious-site.com

Pattern 2: Read-Only Analysis

Use case: Commands that analyze code without modifying it

---
description: Analyze codebase for pattern
allowed-tools: [Read, Grep, Glob]
---

Search codebase for: $ARGUMENTS

Security benefit: Cannot write files or execute code

Pattern 3: Thinking-Only Commands

Use case: Deep analysis or planning without file operations

---
description: Analyze problem from first principles
allowed-tools: SequentialThinking
---

Analyze the current problem from first principles.

Focus benefit: Claude focuses purely on reasoning, no file operations

Pattern 4: Controlled File Operations

Use case: Commands that should only read/edit specific types

---
description: Update documentation
allowed-tools: [Read, Edit(*.md)]
---

Update documentation in @ $ARGUMENTS

Note: File pattern restrictions may not be supported in all versions.

Real Examples from Official Docs

Example 1: Git Commit Command

Source: Official Claude Code documentation

---
allowed-tools: Bash(git add:*), Bash(git status:*), Bash(git commit:*)
description: Create a git commit
---

## Context

- Current git status: ! `git status`
- Current git diff (staged and unstaged changes): ! `git diff HEAD`
- Current branch: ! `git branch --show-current`
- Recent commits: ! `git log --oneline -10`

## Your task

Based on the above changes, create a single git commit.

Allowed bash commands:

  • git add .
  • git add file.js
  • git status
  • git status --short
  • git commit -m "message"
  • git commit --amend

Blocked commands:

  • rm file.js
  • curl https://malicious.com
  • npm install
  • Any non-git commands

Example 2: Code Review (No Restrictions)

---
description: Review this code for security vulnerabilities
---

Review this code for security vulnerabilities:

No allowed-tools field = All tools available

Claude can:

  • Read files
  • Write files
  • Execute bash commands
  • Use any tool

Use when: Command needs full flexibility

When to Restrict Tools

Restrict when:

  1. Security-sensitive operations

    # Git operations only
allowed-tools: Bash(git add:*), Bash(git status:*)

  2. Focused tasks

    # Deep thinking only
allowed-tools: SequentialThinking

  3. Read-only analysis

    # No modifications
allowed-tools: [Read, Grep, Glob]

  4. Specific bash commands

    # Only npm scripts
allowed-tools: Bash(npm run test:*), Bash(npm run build:*)

Don't restrict when:

  1. Command needs flexibility

    • Complex workflows
    • Exploratory tasks
    • Multi-step operations

  2. Tool needs are unpredictable

    • General problem-solving
    • Debugging unknown issues

  3. Already in safe environment

    • Sandboxed execution
    • Non-production systems

Best Practices

1. Use Wildcards for Command Families

# Good - allows all git commands
allowed-tools: Bash(git *)

# Better - specific git operations
allowed-tools: Bash(git add:*), Bash(git status:*), Bash(git commit:*)

# Best - minimal necessary permissions
allowed-tools: Bash(git status:*), Bash(git diff:*)

2. Combine Tool Types Appropriately

# Analysis with optional git context
allowed-tools: [Read, Grep, Bash(git status:*)]

3. Test Restrictions

Create command and verify:

  • Allowed operations work
  • Blocked operations are prevented
  • Error messages are clear

4. Document Why

---
description: Create git commit (restricted to git commands only for security)
allowed-tools: Bash(git add:*), Bash(git status:*), Bash(git commit:*)
---

Tool Types

File Operations

  • Read - Read files
  • Write - Write new files
  • Edit - Modify existing files
  • Grep - Search file contents
  • Glob - Find files by pattern

Execution

  • Bash(pattern:*) - Execute bash commands matching pattern
  • SequentialThinking - Reasoning tool

Other

  • Task - Invoke subagents
  • WebSearch - Search the web
  • WebFetch - Fetch web pages

Security Patterns

Pattern: Prevent Data Exfiltration

---
description: Analyze code locally
allowed-tools: [Read, Grep, Glob, SequentialThinking]
# No Bash, WebFetch - cannot send data externally
---

Pattern: Prevent Destructive Operations

---
description: Review changes
allowed-tools: [Read, Bash(git diff:*), Bash(git log:*)]
# No Write, Edit, git reset, git push --force
---

Pattern: Controlled Deployment

---
description: Deploy to staging
allowed-tools: Bash(npm run deploy:staging), Bash(git push origin:staging)
# Cannot deploy to production accidentally
---

Limitations

  1. Wildcard patterns may vary by version
  2. File-specific restrictions (like Edit(*.md)) may not be supported
  3. Cannot blacklist - only whitelist
  4. All or nothing for tool types - can't partially restrict

Testing Tool Restrictions

Verify Restrictions Work

  1. Create command with restrictions
  2. Try to use restricted tool
  3. Confirm operation is blocked
  4. Check error message

Example test:

---
description: Test restrictions
allowed-tools: [Read]
---

Try to write a file - this should fail.

Expected: Write operations blocked with error message.

Reference in New Issue View Git Blame Copy Permalink