[BUG] WebFetch allows huggingface.co without permission prompt, bypassing user settings

Resolved 💬 2 comments Opened Jan 15, 2026 by danielweinmann Closed Feb 28, 2026

Description

huggingface.co is implicitly allowed for WebFetch without any permission prompt, even when the domain is NOT in the user's permissions.allow list. Other domains (like github.com, npmjs.com) correctly require permission prompts.

This is a potential security concern because Hugging Face hosts user-generated content (model cards, READMEs, documentation) that could contain prompt injection payloads.

Reproduction Steps

  1. Ensure huggingface.co is NOT in your ~/.claude/settings.json or .claude/settings.local.json allow list
  2. Start a fresh Claude Code session
  3. Ask Claude: "Try fetching any huggingface URL"
  4. Observe: Claude fetches https://huggingface.co without prompting for permission
  5. For comparison, ask Claude to fetch https://github.com or https://npmjs.com
  6. Observe: These domains do prompt for permission

Expected Behavior

All domains not explicitly in the user's permissions.allow list should require a permission prompt before fetching.

Actual Behavior

huggingface.co is fetched without any permission prompt, even when not in the allow list.

Investigation Findings

We verified this is NOT due to the server-side domain_info endpoint. All three domains return can_fetch: true:

https://claude.ai/api/web/domain_info?domain=huggingface.co  → can_fetch: true
https://claude.ai/api/web/domain_info?domain=github.com     → can_fetch: true  
https://claude.ai/api/web/domain_info?domain=npmjs.com      → can_fetch: true

Yet only huggingface.co bypasses the local permission prompt.

Possible causes:

  • Hardcoded allowlist in Claude Code client
  • The huggingface-skills plugin being listed in the official marketplace may grant implicit domain permissions even when not installed
  • Some other undocumented mechanism

Security Concern

Hugging Face is a platform with user-generated content. Model cards, READMEs, and documentation pages can contain arbitrary text controlled by uploaders. Implicitly allowing this domain creates a prompt injection attack surface:

  1. Attacker creates a malicious model card with hidden instructions
  2. User asks Claude to research a model on Hugging Face
  3. Claude fetches the page without permission prompt
  4. Malicious content enters Claude's context window

Environment

  • Claude Code version: 2.1.5
  • OS: macOS (Darwin 24.6.0)
  • User has explicit domain allowlist configured (not using defaults)

Suggested Fix

  1. Remove any implicit/hardcoded allowlist for huggingface.co
  2. Document which domains (if any) bypass user permission settings
  3. Provide a way for users to deny server-allowed domains locally

Related

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗