claude-permissions-audit

Review and reorganize Claude Code permission settings across all config files (global settings.json, project settings.local.json, dotfiles copies). Identifies redundancy, misplaced permissions, and lack of read/write organization. Produces a clean layout where global settings are the source of truth and project-local files only contain project-specific overrides. Use this skill whenever the user mentions reviewing permissions, cleaning up settings, auditing allowed tools, reorganizing settings.json, or asking "what permissions do I have". Also use when adding new MCP servers or tools and wanting to decide what to pre-allow. Triggers: "review permissions", "audit settings", "clean up settings.json", "permissions audit", "/permissions-audit".

12 stars

Best use case

claude-permissions-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Review and reorganize Claude Code permission settings across all config files (global settings.json, project settings.local.json, dotfiles copies). Identifies redundancy, misplaced permissions, and lack of read/write organization. Produces a clean layout where global settings are the source of truth and project-local files only contain project-specific overrides. Use this skill whenever the user mentions reviewing permissions, cleaning up settings, auditing allowed tools, reorganizing settings.json, or asking "what permissions do I have". Also use when adding new MCP servers or tools and wanting to decide what to pre-allow. Triggers: "review permissions", "audit settings", "clean up settings.json", "permissions audit", "/permissions-audit".

Teams using claude-permissions-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/claude-permissions-audit/SKILL.md --create-dirs "https://raw.githubusercontent.com/jackchuka/skills/main/claude-permissions-audit/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/claude-permissions-audit/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How claude-permissions-audit Compares

Feature / Agentclaude-permissions-auditStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Review and reorganize Claude Code permission settings across all config files (global settings.json, project settings.local.json, dotfiles copies). Identifies redundancy, misplaced permissions, and lack of read/write organization. Produces a clean layout where global settings are the source of truth and project-local files only contain project-specific overrides. Use this skill whenever the user mentions reviewing permissions, cleaning up settings, auditing allowed tools, reorganizing settings.json, or asking "what permissions do I have". Also use when adding new MCP servers or tools and wanting to decide what to pre-allow. Triggers: "review permissions", "audit settings", "clean up settings.json", "permissions audit", "/permissions-audit".

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

SKILL.md Source

# Permissions Audit

Review and reorganize Claude Code permission settings so global settings are the
source of truth, project-local files stay minimal, and read vs write operations
have clear separation.

## When to Use

- Reviewing what tools and commands are pre-allowed
- Cleaning up accumulated ad-hoc permission entries
- After adding a new MCP server and deciding which operations to pre-allow
- Ensuring global vs project-local settings are properly split
- Periodic hygiene check on permission sprawl

## Phase 1: Discover All Settings Files

Scan for every settings file that contributes to the effective permission set.

**Locations to check:**
- `~/.claude/settings.json` — global settings (source of truth)
- `<project>/.claude/settings.json` — project shared settings (committed)
- `<project>/.claude/settings.local.json` — project local settings (gitignored)
- `~/.claude/.claude/settings.local.json` — home directory project local
- Any dotfiles-managed copy (e.g. `home/.claude/settings.json` in a dotfiles repo)

Read all of them in parallel. If a file doesn't exist, note it and move on.

## Phase 2: Audit

For each permission entry across all files, assess:

1. **Redundancy** — Is this entry already covered by a broader rule elsewhere?
   - Example: `Bash(gws calendar events:*)` is redundant when `Bash(gws:*)` exists globally
2. **Misplacement** — Is this general-purpose but stuck in a project-local file?
   - Example: `Bash(python3:*)` in project local when it's useful everywhere
3. **Inconsistent granularity** — Are similar tools allowed at different specificity levels?
   - Example: Global has `gh pr list`, `gh pr view` individually, but project local has `gh:*`
4. **Missing read/write distinction** — Are read-only and write operations mixed together?
5. **Stale entries** — One-time approvals that accumulated (e.g., a specific git command with hardcoded paths)

Present findings as a table with issues and proposed resolution for each.

## Phase 3: Propose Reorganization

Design the new layout following these principles:

### Global settings (source of truth)

Organize permissions into labeled sections by grouping related entries together.
Do NOT use JSON comments (// or /* */) — settings.json must be valid JSON.
Instead, rely on the ordering of entries to convey grouping. Within the allow
array, cluster related permissions together in this order:

**Section order (group entries in this sequence, no separators needed):**

```
filesystem reads            — cat, tree, grep, wc, file reads
<lang> inspection           — go doc, cargo check, linters (no side effects)
GitHub CLI reads            — gh pr list/view/diff, gh issue list (no mutations)
external tool reads         — calendar, slack CLI, other read CLIs
web reads                   — WebSearch, WebFetch with domain allowlist
MCP <service> reads         — list, get, describe, search operations
build / test / install      — go build, cargo test, pnpm install (local side effects)
skills                      — Skill(superpowers:*), etc.
```

### Project-local settings (minimal overrides)

Only keep entries that are genuinely project-specific:
- Broader tool access needed for a specific workflow (e.g., `Bash(gh:*)` for a repo that creates PRs frequently)
- Project-specific MCP tools not used elsewhere
- Temporary elevated access during active development

### Clarifying questions

Before applying, ask the user about edge cases. Common questions:

- **Scope of CLI tools**: Should `gh:*` (all subcommands) go global, or keep read-only globally with broader access per-project?
- **MCP write operations**: Which write operations (send message, create issue) should stay prompted vs pre-allowed?
- **Environment separation**: Should dev and prod data sources have the same read access, or should prod be more restrictive?
- **Dotfiles sync**: Does the user maintain a dotfiles copy that needs updating?

Adapt questions to what's actually ambiguous — don't ask about things that are obvious from context.

## Phase 4: Apply Changes

Once the user confirms the plan:

1. Write the updated global settings file
2. Write the trimmed project-local settings file
3. Update any dotfiles copies to stay in sync
4. Clear out entries from other local files that were absorbed into global

## Phase 5: Summary

Present a before/after comparison:

| File | Before | After |
|------|--------|-------|
| Global | N flat entries | M entries in K sections |
| Project local | X entries | Y entries (project-specific only) |

List what moved where, and what still requires prompting (write operations not pre-allowed).

Related Skills

dev-cli-consistency-audit

12
from jackchuka/skills

Reviews a CLI tool's command interface for consistency in argument naming, flag conventions, help text, and README alignment. Use when building CLI tools or before releasing CLI updates. Triggers: "review CLI arguments", "align CLI conventions", "CLI consistency check", "make sure commands are aligned", "review command interface".

claude-skill-spec-audit

12
from jackchuka/skills

Audit skill SKILL.md files for compliance with the agentskills.io specification. Checks frontmatter fields (name, description, compatibility, metadata, argument-hint) and metadata sub-fields (author, scope, confirms). Use when adding new skills, reviewing skill quality, or ensuring all skills follow the spec. Triggers: "audit skills", "check skill spec", "skill compliance", "are my skills up to spec", "/claude-skill-spec-audit".

claude-skill-prereq-audit

12
from jackchuka/skills

Scan skills for prerequisite tools, MCP servers, and auth requirements, then check if everything is installed and authenticated. Offers to fix issues. Use when setting up a new machine, after installing skills, or to verify your environment. Triggers: "check prerequisites", "skill prereqs", "are my tools installed", "verify skill dependencies", "/claude-skill-prereq-audit".

claude-skill-orchestration-audit

12
from jackchuka/skills

Audit skills for agentic orchestration quality. Checks subagent dispatch patterns, parallelism opportunities, anti-patterns, and alignment with the three-phase pattern (setup → dispatch → aggregate). Use when reviewing skill quality, saying "audit orchestration", "check my skills for parallelism", "skill orchestration review", or "/claude-skill-orchestration-audit".

restaurant-search

12
from jackchuka/skills

Search for Japanese restaurants using the `hpp` CLI (HotPepper Gourmet API). Use when the user wants to find a restaurant, plan a dinner, search for izakayas, or book a group meal in Japan. Triggers on requests like "find a restaurant near Shibuya", "search for izakayas in 新宿", "restaurant for 10 people in 浜松町", "dinner spot near Tokyo station".

project-namer

12
from jackchuka/skills

Use when naming a project, repository, tool, or product and wanting a memorable, unique name

p-slack-triage

12
from jackchuka/skills

Scan Slack for messages needing your attention, walk through them one-by-one, and draft/send replies. Covers DMs, mentions, threads, and channel activity. Use when the user wants to triage Slack, check what needs attention, or draft replies. Triggers on "triage slack", "check slack", "what needs my attention on slack", "slack replies", "review slack messages", "/slack-triage".

p-news-briefing

12
from jackchuka/skills

Use when the user asks for news, wants a briefing, says "/news-briefing", or asks to aggregate recent information on any topic. Triggers on requests like "what's happening with AI", "get me news on crypto", "news briefing on climate".

p-md-to-slides

12
from jackchuka/skills

Convert a structured Markdown deck source into a styled Google Slides presentation. Use this skill when the user has a slide.md file (or wants to write one) and wants Google Slides output — talks, LT decks, lecture slides, conference presentations, internal explainers. Trigger phrases include "md からスライド作って", "slide.md を Google Slides にして", "発表資料を Google Slides で", "convert this markdown to slides", "build a Google Slides deck from this markdown", "make slides from md", "/md-to-slides", and similar. Also use when the user references a presentation/<date>/slide.md file structure with `## Slide N — title`, `**話すこと:**`, and `**スライド要素:**` sections.

p-ego-search

12
from jackchuka/skills

Search for mentions of you across Slack, Fireflies, and GitHub. Triggers on "egosearch", "/egosearch", "search for mentions of me", "who's talking about me".

p-daily-standup

12
from jackchuka/skills

Aggregate previous business day activity and post standup update to Slack. Use when the user says "standup", "daily standup", "post status", "status update", or "/daily-standup".

p-daily-report

12
from jackchuka/skills

Use when reviewing what you worked on, creating standups, writing status updates, tracking daily/weekly progress, or asking "what did I do today"