claude-permissions-audit
Review and reorganize Claude Code permission settings across all config files (global settings.json, project settings.local.json, dotfiles copies). Identifies redundancy, misplaced permissions, and lack of read/write organization. Produces a clean layout where global settings are the source of truth and project-local files only contain project-specific overrides. Use this skill whenever the user mentions reviewing permissions, cleaning up settings, auditing allowed tools, reorganizing settings.json, or asking "what permissions do I have". Also use when adding new MCP servers or tools and wanting to decide what to pre-allow. Triggers: "review permissions", "audit settings", "clean up settings.json", "permissions audit", "/permissions-audit".
Best use case
claude-permissions-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Review and reorganize Claude Code permission settings across all config files (global settings.json, project settings.local.json, dotfiles copies). Identifies redundancy, misplaced permissions, and lack of read/write organization. Produces a clean layout where global settings are the source of truth and project-local files only contain project-specific overrides. Use this skill whenever the user mentions reviewing permissions, cleaning up settings, auditing allowed tools, reorganizing settings.json, or asking "what permissions do I have". Also use when adding new MCP servers or tools and wanting to decide what to pre-allow. Triggers: "review permissions", "audit settings", "clean up settings.json", "permissions audit", "/permissions-audit".
Teams using claude-permissions-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/claude-permissions-audit/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How claude-permissions-audit Compares
| Feature / Agent | claude-permissions-audit | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Review and reorganize Claude Code permission settings across all config files (global settings.json, project settings.local.json, dotfiles copies). Identifies redundancy, misplaced permissions, and lack of read/write organization. Produces a clean layout where global settings are the source of truth and project-local files only contain project-specific overrides. Use this skill whenever the user mentions reviewing permissions, cleaning up settings, auditing allowed tools, reorganizing settings.json, or asking "what permissions do I have". Also use when adding new MCP servers or tools and wanting to decide what to pre-allow. Triggers: "review permissions", "audit settings", "clean up settings.json", "permissions audit", "/permissions-audit".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
SKILL.md Source
# Permissions Audit Review and reorganize Claude Code permission settings so global settings are the source of truth, project-local files stay minimal, and read vs write operations have clear separation. ## When to Use - Reviewing what tools and commands are pre-allowed - Cleaning up accumulated ad-hoc permission entries - After adding a new MCP server and deciding which operations to pre-allow - Ensuring global vs project-local settings are properly split - Periodic hygiene check on permission sprawl ## Phase 1: Discover All Settings Files Scan for every settings file that contributes to the effective permission set. **Locations to check:** - `~/.claude/settings.json` — global settings (source of truth) - `<project>/.claude/settings.json` — project shared settings (committed) - `<project>/.claude/settings.local.json` — project local settings (gitignored) - `~/.claude/.claude/settings.local.json` — home directory project local - Any dotfiles-managed copy (e.g. `home/.claude/settings.json` in a dotfiles repo) Read all of them in parallel. If a file doesn't exist, note it and move on. ## Phase 2: Audit For each permission entry across all files, assess: 1. **Redundancy** — Is this entry already covered by a broader rule elsewhere? - Example: `Bash(gws calendar events:*)` is redundant when `Bash(gws:*)` exists globally 2. **Misplacement** — Is this general-purpose but stuck in a project-local file? - Example: `Bash(python3:*)` in project local when it's useful everywhere 3. **Inconsistent granularity** — Are similar tools allowed at different specificity levels? - Example: Global has `gh pr list`, `gh pr view` individually, but project local has `gh:*` 4. **Missing read/write distinction** — Are read-only and write operations mixed together? 5. **Stale entries** — One-time approvals that accumulated (e.g., a specific git command with hardcoded paths) Present findings as a table with issues and proposed resolution for each. ## Phase 3: Propose Reorganization Design the new layout following these principles: ### Global settings (source of truth) Organize permissions into labeled sections by grouping related entries together. Do NOT use JSON comments (// or /* */) — settings.json must be valid JSON. Instead, rely on the ordering of entries to convey grouping. Within the allow array, cluster related permissions together in this order: **Section order (group entries in this sequence, no separators needed):** ``` filesystem reads — cat, tree, grep, wc, file reads <lang> inspection — go doc, cargo check, linters (no side effects) GitHub CLI reads — gh pr list/view/diff, gh issue list (no mutations) external tool reads — calendar, slack CLI, other read CLIs web reads — WebSearch, WebFetch with domain allowlist MCP <service> reads — list, get, describe, search operations build / test / install — go build, cargo test, pnpm install (local side effects) skills — Skill(superpowers:*), etc. ``` ### Project-local settings (minimal overrides) Only keep entries that are genuinely project-specific: - Broader tool access needed for a specific workflow (e.g., `Bash(gh:*)` for a repo that creates PRs frequently) - Project-specific MCP tools not used elsewhere - Temporary elevated access during active development ### Clarifying questions Before applying, ask the user about edge cases. Common questions: - **Scope of CLI tools**: Should `gh:*` (all subcommands) go global, or keep read-only globally with broader access per-project? - **MCP write operations**: Which write operations (send message, create issue) should stay prompted vs pre-allowed? - **Environment separation**: Should dev and prod data sources have the same read access, or should prod be more restrictive? - **Dotfiles sync**: Does the user maintain a dotfiles copy that needs updating? Adapt questions to what's actually ambiguous — don't ask about things that are obvious from context. ## Phase 4: Apply Changes Once the user confirms the plan: 1. Write the updated global settings file 2. Write the trimmed project-local settings file 3. Update any dotfiles copies to stay in sync 4. Clear out entries from other local files that were absorbed into global ## Phase 5: Summary Present a before/after comparison: | File | Before | After | |------|--------|-------| | Global | N flat entries | M entries in K sections | | Project local | X entries | Y entries (project-specific only) | List what moved where, and what still requires prompting (write operations not pre-allowed).
Related Skills
dev-cli-consistency-audit
Reviews a CLI tool's command interface for consistency in argument naming, flag conventions, help text, and README alignment. Use when building CLI tools or before releasing CLI updates. Triggers: "review CLI arguments", "align CLI conventions", "CLI consistency check", "make sure commands are aligned", "review command interface".
claude-skill-spec-audit
Audit skill SKILL.md files for compliance with the agentskills.io specification. Checks frontmatter fields (name, description, compatibility, metadata, argument-hint) and metadata sub-fields (author, scope, confirms). Use when adding new skills, reviewing skill quality, or ensuring all skills follow the spec. Triggers: "audit skills", "check skill spec", "skill compliance", "are my skills up to spec", "/claude-skill-spec-audit".
claude-skill-prereq-audit
Scan skills for prerequisite tools, MCP servers, and auth requirements, then check if everything is installed and authenticated. Offers to fix issues. Use when setting up a new machine, after installing skills, or to verify your environment. Triggers: "check prerequisites", "skill prereqs", "are my tools installed", "verify skill dependencies", "/claude-skill-prereq-audit".
claude-skill-orchestration-audit
Audit skills for agentic orchestration quality. Checks subagent dispatch patterns, parallelism opportunities, anti-patterns, and alignment with the three-phase pattern (setup → dispatch → aggregate). Use when reviewing skill quality, saying "audit orchestration", "check my skills for parallelism", "skill orchestration review", or "/claude-skill-orchestration-audit".
restaurant-search
Search for Japanese restaurants using the `hpp` CLI (HotPepper Gourmet API). Use when the user wants to find a restaurant, plan a dinner, search for izakayas, or book a group meal in Japan. Triggers on requests like "find a restaurant near Shibuya", "search for izakayas in 新宿", "restaurant for 10 people in 浜松町", "dinner spot near Tokyo station".
project-namer
Use when naming a project, repository, tool, or product and wanting a memorable, unique name
p-slack-triage
Scan Slack for messages needing your attention, walk through them one-by-one, and draft/send replies. Covers DMs, mentions, threads, and channel activity. Use when the user wants to triage Slack, check what needs attention, or draft replies. Triggers on "triage slack", "check slack", "what needs my attention on slack", "slack replies", "review slack messages", "/slack-triage".
p-news-briefing
Use when the user asks for news, wants a briefing, says "/news-briefing", or asks to aggregate recent information on any topic. Triggers on requests like "what's happening with AI", "get me news on crypto", "news briefing on climate".
p-md-to-slides
Convert a structured Markdown deck source into a styled Google Slides presentation. Use this skill when the user has a slide.md file (or wants to write one) and wants Google Slides output — talks, LT decks, lecture slides, conference presentations, internal explainers. Trigger phrases include "md からスライド作って", "slide.md を Google Slides にして", "発表資料を Google Slides で", "convert this markdown to slides", "build a Google Slides deck from this markdown", "make slides from md", "/md-to-slides", and similar. Also use when the user references a presentation/<date>/slide.md file structure with `## Slide N — title`, `**話すこと:**`, and `**スライド要素:**` sections.
p-ego-search
Search for mentions of you across Slack, Fireflies, and GitHub. Triggers on "egosearch", "/egosearch", "search for mentions of me", "who's talking about me".
p-daily-standup
Aggregate previous business day activity and post standup update to Slack. Use when the user says "standup", "daily standup", "post status", "status update", or "/daily-standup".
p-daily-report
Use when reviewing what you worked on, creating standups, writing status updates, tracking daily/weekly progress, or asking "what did I do today"