Gating Claude Code skills and Auto mode
Published 2026-05-27 by Owner
Claude Code 2.1.152 ships three new skill primitives — disallowed-tools in frontmatter, the /reload-skills command, and a MessageDisplay hook event — alongside a policy change that removes the opt-in for Auto mode. The skill primitives let a skill remove tools and gate displayed text. The policy change makes Auto mode default-on. The combination requires you to do at the skill layer what the session layer used to do for you. This guide walks the configuration.
Per-skill disallowed-tools in frontmatter
The changelog wording: skills and slash commands can set disallowed-tools in frontmatter to remove tools from the model while the skill is active. The minimal shape — confirm the exact list syntax against your installed Claude Code docs before relying on this for production:
---
name: my-skill
description: A skill that should not be able to delete files.
disallowed-tools:
- Bash
- Write
---When the skill is active, the listed tools are unavailable to the model. The skill ends, the tools come back.
Reload skills without a session restart
/reload-skills rescans your skill directory in-session. You no longer need to restart Claude Code to pick up a new skill file:
/reload-skillsA SessionStart hook can trigger the same rescan and label the session at startup. The hook output shape from the changelog:
{
"reloadSkills": true,
"hookSpecificOutput": {
"sessionTitle": "code-review"
}
}The hook is invoked once per session on start or resume.
Hide model output at display time
The MessageDisplay hook event runs as assistant messages are rendered. Hooks can transform the text or suppress it entirely — the surface for compliance redaction, secret-scrubbing, or any other “what the user sees” gate. Register the event in the same hooks configuration file your other Claude Code hooks live in; the event name is MessageDisplay. Consult the Claude Code hook documentation for the exact registration block — the bullet in the 2.1.152 changelog names the event but not the registration shape, and inventing a shape risks shipping a wrong instruction.
Turn Auto mode off, since on is now the default
The 2.1.152 changelog notes Auto mode no longer requires opt-in consent. The previous behavior was opt-in; the new behavior is default-on. If your security posture wants Auto mode off, opting out is now the explicit action. The opt-out configuration key is documented on the Claude Code configuration page; check the live docs for the field name and accepted values at write time rather than copying a key from a guide.
Log when a fallback model takes over
Per the changelog: when the primary model is not found, Claude Code now switches to your configured --fallback-model for the rest of the session instead of failing every request. The fallback is silent — the session does not warn you that the active model has changed. To stay aware of which model is actually running, configure a SessionStart hook that writes a timestamped log line:
LOG=~/.claude/sessions.log
date -u +%Y-%m-%dT%H:%M:%SZ >> "$LOG"Then read the active model from the hook input JSON Claude Code passes the hook on stdin, and append it to the same log line. The exact field name in the hook input is in the Claude Code hook input schema; consult that page for the current name rather than inferring it from another tool’s hook contract.
When not to use disallowed-tools
Subtraction inside a skill is convenient. It is also a silent failure path when the model expects a tool you removed. Pair disallowed-tools with a small logging hook on the tool-call path: log every call the model attempts so a blocked call leaves a trace you can correlate with skill activations. A skill that blocks tools without logging the blocks is a skill whose silent failures look indistinguishable from model mistakes. Log the blocks so you can tell the two apart.
The broader security framing for AI-assisted development is in AI coding security modes; the adjacent attack-surface audit is auditing MCP config for leaked secrets; the argument for why these defaults matter is the opt-in that quietly disappeared; the release that introduced these primitives is Claude Code’s /simplify returns as a /code-review —fix alias.
