Send a follow-up to an existing session. Reuse the same sessionId instead of starting a new claude_code session when you want to continue. Returns immediately; poll with claude_code_check. Use diskResumeConfig only when the in-memory session is missing and disk resume is enabled.
AI agents invoke claude_code_reply to trigger actions in Claude Code. What it does depends on the arguments the agent supplies, and its effects often reach beyond the immediate call — builds kicked off, notifications sent, workflows started.
This tool continues an existing Claude Code session that enables autonomous coding tasks. Claude Code can execute arbitrary code, run shell commands, modify files, and perform other high-impact operations.
From the tool's definition 'Send a follow-up to an existing session' in the context of 'autonomous coding tasks' via Claude Code, which can run code, shell commands, and file operations
Documented attack patterns abuse exactly the kind of access claude_code_reply gives an agent:
PolicyLayer is an MCP gateway — it sits between your AI agents and Claude Code, and nothing reaches the server without passing your rules. This is the rule we recommend for claude_code_reply:
{
"version": "1",
"default": "deny",
"tools": {
"claude_code_reply": {
"limits": [
{
"counter": "claude_code_reply_rate",
"window": "minute",
"max": 10,
"scope": "grant"
}
]
}
}
}claude_code_reply stays usable, but rate-capped — a runaway agent can't fire it dozens of times a minute. Everything else on the server is denied unless you say otherwise.
Free to start. No card required.
Send a follow-up to an existing session. Reuse the same sessionId instead of starting a new claude_code session when you want to continue. Returns immediately; poll with claude_code_check. Use diskResumeConfig only when the in-memory session is missing and disk resume is enabled. It is categorised as a Execute tool in the Claude Code MCP Server, which means it can trigger actions or run processes. Use rate limits and argument validation.
Register the Claude Code MCP server in PolicyLayer and add a rule for claude_code_reply: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Claude Code. Nothing to install.
claude_code_reply is a Execute tool with high risk. Execute tools should be rate-limited and have argument validation enabled.
Yes. Add a rate_limit block to the claude_code_reply rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for claude_code_reply. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
claude_code_reply is provided by the Claude Code MCP server (xihuai18/claude-code-mcp). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Start from Claude Code, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.
Free to start. No card required.
3 Claude Code tools catalogued and risk-classified — across an index of 43,000+ MCP servers.