Skip to main content
Claude Code operates by invoking a set of built-in tools to read files, execute commands, search for content, and fetch information from the web. Understanding which tools are available—and how Claude decides to use them—helps you work more effectively and configure permissions appropriately.

Built-in tools

ToolNameCategoryDescription
ReadReadFileRead files from the filesystem, including text, images, PDFs, and notebooks
EditEditFilePerform exact string replacements in existing files
WriteWriteFileCreate new files or completely overwrite existing ones
GlobGlobFileFind files by name pattern using glob syntax
GrepGrepFileSearch file contents using regular expressions (powered by ripgrep)
BashBashShellExecute shell commands in a persistent working directory
WebFetchWebFetchWebFetch and extract content from a URL
WebSearchWebSearchWebSearch the web for up-to-date information
MCPvariesMCPInvoke tools provided by connected MCP servers
ListMcpResourcesListMcpResourcesToolMCPList resources available from connected MCP servers
ReadMcpResourceReadMcpResourceToolMCPRead a specific resource from an MCP server by URI

How Claude decides which tools to use

Claude selects tools based on what is most appropriate for the task at hand. General heuristics:
  • File operations — Claude prefers Read, Edit, Write, Glob, and Grep over running equivalent shell commands (cat, grep, find). The dedicated tools provide better permission granularity and a clearer audit trail.
  • Search tasksGrep is preferred for content search; Glob is preferred for finding files by name. Bash with grep or find is only used as a fallback when the dedicated tools cannot accomplish the task.
  • Shell commandsBash is used for running build tools, tests, git operations, package managers, and any command that doesn’t have a dedicated tool.
  • Web accessWebFetch is used to retrieve a specific URL; WebSearch is used when Claude needs to discover current information without a known URL.
  • MCP tools — When MCP servers are connected, Claude may invoke their tools for domain-specific tasks such as database queries, authenticated API calls, or custom integrations.

How permissions work

Each tool call is subject to Claude Code’s permission system before it executes. Read-only tools (Read, Glob, Grep, WebFetch, WebSearch, ListMcpResources, ReadMcpResource) are considered safe by default and typically do not require a confirmation prompt. Write tools (Edit, Write) and shell execution (Bash) require permission. Claude Code will prompt you to allow or deny the operation. You can grant permanent permissions per-directory or per-command pattern in your settings.
The Bash tool supports a dangerouslyDisableSandbox parameter that bypasses sandbox restrictions. This should only be used when a command is failing due to sandbox constraints—not as a default.
MCP tools use a passthrough permission model and will ask for your consent before executing. For detailed permission configuration, see the Permissions documentation.

Tool reference pages

File Tools

Read, Edit, Write, Glob, and Grep — everything Claude uses to work with files.

Bash Tool

Execute shell commands, manage background tasks, and configure sandbox mode.

Web Tools

WebFetch and WebSearch for retrieving and searching web content.

MCP Tool

Invoke tools and read resources from connected MCP servers.