[BUG] WebFetch allows huggingface.co without permission prompt, bypassing user settings
Description
huggingface.co is implicitly allowed for WebFetch without any permission prompt, even when the domain is NOT in the user's permissions.allow list. Other domains (like github.com, npmjs.com) correctly require permission prompts.
This is a potential security concern because Hugging Face hosts user-generated content (model cards, READMEs, documentation) that could contain prompt injection payloads.
Reproduction Steps
- Ensure
huggingface.cois NOT in your~/.claude/settings.jsonor.claude/settings.local.jsonallow list - Start a fresh Claude Code session
- Ask Claude: "Try fetching any huggingface URL"
- Observe: Claude fetches
https://huggingface.cowithout prompting for permission - For comparison, ask Claude to fetch
https://github.comorhttps://npmjs.com - Observe: These domains do prompt for permission
Expected Behavior
All domains not explicitly in the user's permissions.allow list should require a permission prompt before fetching.
Actual Behavior
huggingface.co is fetched without any permission prompt, even when not in the allow list.
Investigation Findings
We verified this is NOT due to the server-side domain_info endpoint. All three domains return can_fetch: true:
https://claude.ai/api/web/domain_info?domain=huggingface.co → can_fetch: true
https://claude.ai/api/web/domain_info?domain=github.com → can_fetch: true
https://claude.ai/api/web/domain_info?domain=npmjs.com → can_fetch: true
Yet only huggingface.co bypasses the local permission prompt.
Possible causes:
- Hardcoded allowlist in Claude Code client
- The
huggingface-skillsplugin being listed in the official marketplace may grant implicit domain permissions even when not installed - Some other undocumented mechanism
Security Concern
Hugging Face is a platform with user-generated content. Model cards, READMEs, and documentation pages can contain arbitrary text controlled by uploaders. Implicitly allowing this domain creates a prompt injection attack surface:
- Attacker creates a malicious model card with hidden instructions
- User asks Claude to research a model on Hugging Face
- Claude fetches the page without permission prompt
- Malicious content enters Claude's context window
Environment
- Claude Code version: 2.1.5
- OS: macOS (Darwin 24.6.0)
- User has explicit domain allowlist configured (not using defaults)
Suggested Fix
- Remove any implicit/hardcoded allowlist for
huggingface.co - Document which domains (if any) bypass user permission settings
- Provide a way for users to deny server-allowed domains locally
Related
- CVE-2025-55284 - Previous "Permissive Default Allowlist" vulnerability (for bash commands)
- WebFetch architecture analysis - Documents the
domain_infoendpoint
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗