[BUG] plugin install / marketplace add silently clears sandbox.filesystem configuration
Description
Running claude plugin install or claude plugin marketplace add rewrites ~/.claude/settings.json and replaces the sandbox.filesystem object with {}, silently dropping the entire write.allowOnly configuration. This effectively disables the write sandbox without any warning.
Steps to Reproduce
- Configure
sandbox.filesystem.write.allowOnlyin~/.claude/settings.json - Run any plugin install command, e.g.:
claude plugin install pyright-lsp@claude-plugins-officialclaude plugin marketplace add obra/superpowers-marketplace
- Inspect
~/.claude/settings.json
Expected Behavior
sandbox.filesystem configuration is preserved after plugin operations.
Actual Behavior
The sandbox.filesystem key is replaced with {}, removing all write restrictions.
Before
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true,
"network": { ... },
"filesystem": {
"write": {
"allowOnly": [
"//root/code/**",
"//tmp/**",
"//tmp/claude-0/**"
]
}
}
}
After
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true,
"network": { ... },
"filesystem": {}
}
Security Implication
The write sandbox is a security boundary. Silently clearing it means users who configured filesystem restrictions to limit where Claude can write are unknowingly left without those protections after installing a plugin. There is no warning or prompt — the configuration is simply dropped.
Environment
- Claude Code version: 2.1.63
- OS: Linux (also likely reproducible on macOS)
- All
claude plugin installvariants appear affected
Related Issues
- #2688 — reported the same root cause since v1.0.35 (settings rewrite on plugin install)
- #15339 — closed as duplicate, but the underlying issue persists
Workaround
Manually verify and restore sandbox.filesystem.write in settings.json after every plugin install.
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗