Feature: Skill-scoped permission grants
Summary
Allow skills to declare required tool permissions upfront, prompting users to approve them in batch when the skill is invoked rather than interrupting for each individual tool call.
Use Case
When using a skill like capturing screenshots with Playwright for PR documentation, the workflow requires multiple tool calls:
browser_navigate- Go to the pagebrowser_snapshot- Get element referencesbrowser_click- Interact (expand menus, open modals)browser_take_screenshot- Capture the result- Repeat steps 2-4 several times
browser_close- Clean up
Currently, each tool call prompts individually, requiring 10-15 permission approvals for a single screenshot session. This breaks flow and makes the skill tedious to use.
Proposed Solution
1. Skill permission declaration
Allow skills to declare required permissions in their frontmatter:
---
name: pr-screenshots
description: Capture screenshots with Playwright for PR documentation
permissions:
- mcp__plugin_playwright_playwright__browser_navigate
- mcp__plugin_playwright_playwright__browser_snapshot
- mcp__plugin_playwright_playwright__browser_take_screenshot
- mcp__plugin_playwright_playwright__browser_click
- mcp__plugin_playwright_playwright__browser_close
---
2. Batch approval prompt on skill invocation
When the skill is invoked, present the permission request upfront:
Skill "pr-screenshots" wants to use:
☑ browser_navigate
☑ browser_snapshot
☑ browser_take_screenshot
☑ browser_click
☑ browser_close
[Approve All] [Select...] [Deny]
3. Session-scoped grants
Approved permissions would be:
- Scoped to the current skill invocation (or optionally the session)
- Not persisted to settings.json
- Revocable by the user at any time
Alternatives Considered
- Add to global allowlist - Works but grants permanent access, which may be too broad for powerful tools like Playwright that can click/type on any page
- Click through each prompt - Current behavior, tedious for multi-step workflows
- Plan mode allowedPrompts - Only works for Bash commands, not MCP tools
Additional Context
This pattern is similar to how mobile apps request permissions - declared upfront, approved in context, scoped appropriately. It balances security (user still approves) with usability (single approval vs. many).
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗