| name | permissions-audit |
| description | Audit and organize Claude Code permissions in settings.json/settings.local.json. Clean up accumulated permissions, properly distribute settings between global and project levels, and consolidate to wildcard notation. Use triggers like "audit permissions", "clean up settings", "organize settings.json", "permissions inventory". |
Permissions Audit
A skill for auditing and organizing Claude Code settings file permissions.
Workflow
1. Read Settings Files
Read the following 3 files:
~/.claude/settings.json # Global settings
.claude/settings.json # Project shared settings
.claude/settings.local.json # Project local settings
Notes:
~/.claude/settings.local.json is NOT loaded by Claude Code (only project-level .claude/settings.local.json is effective)
- With symlink configurations, global and project settings may point to the same file
2. Analyze Issues
Analyze the allow list from the following perspectives:
| Issue | Example |
|---|
| One-time permissions | Bash(git -C /path/to/repo log --oneline) |
| Can be wildcarded | Bash(git log:*) exists but Bash(git log --oneline -5) also present |
| Global/local conflicts | Denied globally, allowed locally |
| Environment-specific paths | Edit(~/myproject/**) with specific paths |
| Destructive operations | Bash(docker * prune:*) and other delete commands |
| Deviation from recommendations | Commands in allow that are not recommended |
3. Determine Cleanup Strategy
Items to confirm with user (batch confirm via AskUserQuestion):
- curl/wget: Deny recommended since WebFetch exists, but needed for external API testing?
- git fetch/pull: Involves remote communication. Ask for permission each time?
- Destructive operations: Allow data deletion commands like docker prune?
- Dev tools: Place npm/python globally or move to project local?
4. Settings Placement Rules
| Location | Content |
|---|
| Global allow | Universal commands (git, cat, jq, etc.) |
| Global deny | Dangerous commands (sudo, ssh, etc.) |
| Project shared | Project-specific (./gradlew, mysql, etc.) |
| Project local | Temporary permissions only (keep empty) |
5. Recommended Settings
See references/recommended-settings.md for details.
6. Verification
After changing settings, verify:
git status
curl --version
env
Important: A new session is required for settings to take effect.