diff --git a/share/goa/doc/config.txt b/share/goa/doc/config.txt
index 7c5db4d..993e37c 100644
--- a/share/goa/doc/config.txt
+++ b/share/goa/doc/config.txt
@@ -252,10 +252,9 @@ to make sure that untrusted configuration files cannot trick Goa into undesired
 file operations.
 
 Moreover, Goa checks the 'cross_dev_prefix' against a list of allowed tool paths.
-By default, Goa allows tools to reside in the directories defined by the PATH
-environment variable or in "/usr/local/genode". Similar to extending the
-'allowed_paths' variable, a user may extend this policy by adding a path to the
-list 'allowed_tools' list.
+By default, Goa allows tools to reside in any subdirectory of /usr/. Similar to
+extending the 'allowed_paths' variable, a user may extend this policy by adding
+a path to the list 'allowed_tools' list.
 
 SEE ALSO
 ########
diff --git a/share/goa/lib/config.tcl b/share/goa/lib/config.tcl
index 9362986..e320961 100644
--- a/share/goa/lib/config.tcl
+++ b/share/goa/lib/config.tcl
@@ -233,8 +233,7 @@ namespace eval ::config {
 		set allowed_paths [list [file normalize $project_dir] [file normalize $original_dir]]
 		set allowed_paths [lsort -unique $allowed_paths]
 
-		set allowed_tools [split $::env(PATH) ":"]
-		lappend allowed_tools "/usr/local/genode"
+		set allowed_tools [list /usr/]
 		lappend allowed_tools $tool_dir
 
 		interp create -safe safeinterp
diff --git a/share/goa/lib/util.tcl b/share/goa/lib/util.tcl
index 8001cf1..6f9934f 100644
--- a/share/goa/lib/util.tcl
+++ b/share/goa/lib/util.tcl
@@ -748,6 +748,8 @@ proc install_config { args } {
 # Return true if specified program is installed
 #
 proc have_installed { program } {
+	# Note: auto_execok calls 'config::_safe_file' via 'file executable',
+	# which validates the resulting path against the allowed_tools variable.
 
 	if {[auto_execok "$program"] != ""} { return true; }
 	return false;