Block Specific Tools with --disallowedTools
You already know about --allowedTools for whitelisting tools without permission prompts. But --disallowedTools does the opposite: it completely removes tools from Claude's context so they can't be used at all.
claude --disallowedTools "Write" "Edit" -p "Analyse this codebase and suggest improvements"
This is not just a permission thing. Disallowed tools are stripped from the model entirely, so Claude won't even attempt to use them. It's the difference between "ask before writing files" and "file writing doesn't exist."
This is useful in several scenarios:
# Read-only analysis: prevent any file modifications
claude --disallowedTools "Write" "Edit" "Bash(rm *)" "Bash(mv *)"
# Code review without the temptation to fix things
claude --disallowedTools "Write" "Edit" \
-p "Review this PR for issues but don't modify anything"
# Block web access for offline-only work
claude --disallowedTools "WebFetch" "WebSearch"
The flag supports the same pattern matching syntax as --allowedTools, so you can use wildcards to block categories of Bash commands:
# Block all git push commands
claude --disallowedTools "Bash(git push *)"
Where --allowedTools says "these tools don't need permission," --disallowedTools says "these tools don't exist." Choose accordingly.
Sometimes the best tool for the job is removing the wrong tool from the toolbox.
Log in to leave a comment.
The autoUpdatesChannel setting pins Claude Code to a stable release track that skips versions with major regressions.
The language setting makes Claude respond in your preferred language by default, across every session and project.
The attribution setting lets you customize or completely remove Claude's Co-Authored-By trailer from git commits and pull requests.