permissions-auditlisted

Use when reviewing, auditing, or cleaning up Claude Code permission allow, deny, and ask lists across settings files. Flags overly permissive patterns, deprecated syntax, duplicates, missing safety rules, and suggests project-type-aware additions.
cavaaiza01/claude-permissions-audit · ★ 2 · AI & Automation · score 78

Install: claude install-skill cavaaiza01/claude-permissions-audit

Audit Claude Code permission allow/deny/ask lists across all settings files. Classify issues by risk, suggest tightening, and interactively apply fixes. Can also discover permissions for new CLI tools. ## Mode Selection Parse the first argument to determine the mode: - `global`, `project`, `all`, or no argument → **Audit mode** (Phases 1-4 below) - `discover <tool-name>` → **Discover mode** (see Discover Mode section at the end) ## Permission Model Reference Claude Code has three permission arrays, evaluated in order: **deny → ask → allow**. First match wins. | Array | Behavior | |-------|----------| | `allow` | Auto-approved — no prompt | | `ask` | Always prompts for confirmation | | `deny` | Auto-rejected — tool cannot be used at all | Anything not matching any array falls through to the `defaultMode` setting. Use the right array for the intent: - **allow** — safe, read-only, or frequently-used commands (linters, test runners, git log) - **ask** — commands that should succeed but need human review each time (git commit, git push, deployments) - **deny** — commands that should never execute, even if explicitly requested (force push, rm -rf /) ## Phase 1: Discovery Read all three settings files and detect the project type. ### Settings Files Read each file. If a file doesn't exist, note it and continue. 1. **Global**: `~/.claude/settings.json` 2. **Project shared**: `.claude/settings.json` (in project root) 3. **Project local**: `.claude/settings.local.json` (in pr