Skills
Sandbox skills and subagents with the `disallowed-tools` denylist — not `allowed-tools`, which isn't enforced
Claude Code's `disallowed-tools` frontmatter key removes specific tools from the model's pool while a skill/subagent is active and clears on your next message, giving a 'deny by exception' model (e.g., a code-reviewer that keeps Read and diagnostics but loses Write and Bash). Critically, multiple open issues show `allowed-tools` in SKILL.md is parsed but NOT enforced in the CLI and is ignored by the Agent SDK — so an allowlist gives false confidence. Use `disallowed-tools` for least-privilege, and for SDK deployments enforce tool access in config rather than trusting frontmatter.
Source
↳ Follow the thread