Describe the feature or problem you'd like to solve
When launching sub-agents via the "task" tool, there's no way to restrict which tools the agent can access. I run a multi-model PR review skill that launches parallel general-purpose agents to review ADO PRs. These agents need ADO read tools to fetch diffs, but should never call write tools like repo_pull_request_thread_write. Despite strong prompt instructions (boxed warnings, banned tool lists, repeated reminders), agents occasionally post full review comments directly to PRs under my identity without authorization. This happened on 4 PRs before I caught it.
Proposed solution
Add optional blocked_tools and/or allowed_tools parameters to the task tool:
agent_type: general-purpose
mode: background
blocked_tools: ["repo_pull_request_thread_write", "repo_pull_request_write"]
The runtime would reject blocked tool calls before they reach the MCP server. Text-only instructions aren't reliable -- LLMs sometimes override them. The explore agent type removes all MCP tools, but that's too restrictive (loses read access too). There's no middle ground today.
Example prompts or workflows
No response
Additional context
No response
Describe the feature or problem you'd like to solve
When launching sub-agents via the "task" tool, there's no way to restrict which tools the agent can access. I run a multi-model PR review skill that launches parallel general-purpose agents to review ADO PRs. These agents need ADO read tools to fetch diffs, but should never call write tools like repo_pull_request_thread_write. Despite strong prompt instructions (boxed warnings, banned tool lists, repeated reminders), agents occasionally post full review comments directly to PRs under my identity without authorization. This happened on 4 PRs before I caught it.
Proposed solution
Add optional blocked_tools and/or allowed_tools parameters to the task tool:
agent_type: general-purpose
mode: background
blocked_tools: ["repo_pull_request_thread_write", "repo_pull_request_write"]
The runtime would reject blocked tool calls before they reach the MCP server. Text-only instructions aren't reliable -- LLMs sometimes override them. The explore agent type removes all MCP tools, but that's too restrictive (loses read access too). There's no middle ground today.
Example prompts or workflows
No response
Additional context
No response