First-token-only flaw in Claude Code permissions (triage bot too)

Name: First-token-only flaw in Claude Code permissions (triage bot too)
Availability: InStock
Author: Apylon777

by Apylon777·Mar 25, 2026·3 points·0 comments

Visit Project View on HN

AI Analysis

●●SolidDark HorseNiche Gem

Deny rules read first token only—git fetch && git clean -fd bypasses your safeguards.

Strengths

•Working fix with 34 passing tests in PR #36645
•Independent corroboration from Issue #31523 filed two weeks prior
•Clear reproduction with compound command examples

Weaknesses

•Triage bot dismissed as 'Informative'—adoption depends on Anthropic
•More security disclosure than reusable tool or library

Post Description

I filed GH issues, and PR fixed on claude-code. I submitted a report on Hackerone, but the triage bot has the SAME category error problem. I got dismissed as "informatiional" because your bot saw my 'rm -rf' example, and dismissed it as an OS problem.

But that is exactly wrong. Allow and deny lists allow DANGEROUS actions like "git cleanup"

Some human needs to read this HN post and my blog post. I've written a bash-guard fix that I use locally, but I CAN'T help everyone else until Anthropic takes my bug report seriously

https://github.com/anthropics/claude-code/issues/36637 https://github.com/anthropics/claude-code/pull/36645