diff --git a/autogpt_platform/backend/backend/copilot/sdk/security_hooks.py b/autogpt_platform/backend/backend/copilot/sdk/security_hooks.py
index 1e33bca2d8..3d2a0e4d02 100644
--- a/autogpt_platform/backend/backend/copilot/sdk/security_hooks.py
+++ b/autogpt_platform/backend/backend/copilot/sdk/security_hooks.py
@@ -101,6 +101,13 @@ def _validate_tool_access(
     Returns:
         Empty dict to allow, or dict with hookSpecificOutput to deny
     """
+    # Workspace-scoped tools: allowed only within the SDK workspace directory.
+    # Check this BEFORE the blocked-tools list because Read is blocked in
+    # general but must remain accessible for tool-results/tool-outputs paths
+    # that the SDK uses internally for oversized result handling.
+    if tool_name in WORKSPACE_SCOPED_TOOLS:
+        return _validate_workspace_path(tool_name, tool_input, sdk_cwd)
+
     # Block forbidden tools
     if tool_name in BLOCKED_TOOLS:
         logger.warning(f"Blocked tool access attempt: {tool_name}")
@@ -110,10 +117,6 @@ def _validate_tool_access(
             "Use the CoPilot-specific MCP tools instead."
         )
 
-    # Workspace-scoped tools: allowed only within the SDK workspace directory
-    if tool_name in WORKSPACE_SCOPED_TOOLS:
-        return _validate_workspace_path(tool_name, tool_input, sdk_cwd)
-
     # Check for dangerous patterns in tool input
     # Use json.dumps for predictable format (str() produces Python repr)
     input_str = json.dumps(tool_input) if tool_input else ""
diff --git a/autogpt_platform/backend/backend/copilot/sdk/tool_adapter.py b/autogpt_platform/backend/backend/copilot/sdk/tool_adapter.py
index e1be5f0291..3699644791 100644
--- a/autogpt_platform/backend/backend/copilot/sdk/tool_adapter.py
+++ b/autogpt_platform/backend/backend/copilot/sdk/tool_adapter.py
@@ -778,11 +778,13 @@ BLOCKED_TOOLS = {
 # Tools allowed only when their path argument stays within the SDK workspace.
 # The SDK uses these to handle oversized tool results (writes to tool-results/
 # files, then reads them back) and for workspace file operations.
-# Read, Write, and Edit are NOT included: they are in
-# SDK_DISALLOWED_TOOLS because the SDK built-in versions are fully
-# replaced by MCP equivalents.  Including them here would conflict
-# with the disallow list.
-WORKSPACE_SCOPED_TOOLS = {"Glob", "Grep"}
+# Read is included because the SDK reads back oversized tool results from
+# tool-results/ and tool-outputs/ directories.  It is also in
+# SDK_DISALLOWED_TOOLS (which controls the SDK's disallowed_tools config),
+# but the security hooks check workspace scope BEFORE the blocked list
+# so that these internal reads are permitted.
+# Write and Edit are NOT included: they are fully replaced by MCP equivalents.
+WORKSPACE_SCOPED_TOOLS = {"Glob", "Grep", "Read"}
 
 # Dangerous patterns in tool inputs
 DANGEROUS_PATTERNS = [