January 28, 2026
Allowlist? All-Access Pass
Allowlisting some Bash commands is often the same as allowlisting all
Say yes to one “safe” command, and you’ve said yes to everything, warn devs
TLDR: Formal warns that pre-approving a few “safe” commands for an AI coding tool can still let it run anything via tests, scripts, and Docker. Commenters clap back that this is obvious, citing PATH tricks and admin risks, while others push to run the bot in disposable containers.
A new post from Formal claims that “allowlisting” a few harmless-sounding terminal commands for an AI code helper like Claude Code can secretly open the floodgates, letting it run pretty much anything. The examples are wild: tests that run system commands, code generators that do whatever they want, linters that can sneak in scripts, even Docker builds that escalate power. But the comments stole the show. One dev cracked the classic “Pray, Mr Babbage” joke to say the quiet part out loud: tests aren’t special—test code is just code. Others went full security cynic, arguing that pre-approving any command is basically an invitation to mischief. One warned that if the tool can change where your computer looks for programs (the PATH), it will: “I’ll just swap in my own version.” Another waved the big red flag: letting anything run with admin rights (aka sudo) is not safety, it’s roulette.
Meanwhile, the optimists demanded a seatbelt: “Everything is a container these days—why aren’t we running the AI in a disposable sandbox we can roll back?” The thread turned into a meme factory too, with a snarky “...with Claude Code” punchline sprinkled everywhere. Verdict from the crowd: cool demo, scary implications, now please put it in a box and lock it the post.
Key Points
- •Formal warns that allowlisting common development commands or file edits for Claude Code can effectively permit arbitrary command execution.
- •Allowlisting go test allows tests to run arbitrary commands (e.g., via Go’s exec.Command), defeating command restrictions.
- •go generate and go build (-toolexec) provide avenues for executing arbitrary code if agents can edit relevant files or specify build options.
- •JavaScript/TypeScript tooling (eslint configs, pnpm scripts, makefiles) can be edited to run commands, making allowlisted lints or scripts unsafe.
- •File watchers (Next.js dev with Turbopack, jest with watchman) and Docker commands can trigger or facilitate arbitrary and even root-level host actions.