[BUG] /plugin install bypasses Edit/Write(.claude/settings.json) deny rules and reorders existing settings

Resolved 💬 4 comments Opened Mar 15, 2026 by ldeavila Closed Apr 14, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The /plugin install command modifies .claude/settings.json despite explicit deny rules that should prevent any tool from editing that file. Additionally, it re-serializes the entire JSON file, reordering keys — which could silently alter or drop security-sensitive configuration.

Environment

  • Claude Code: 2.1.76
  • Node.js: v20.20.1
  • OS: Debian GNU/Linux 12 (bookworm) / devcontainer
  • Platform: Linux (Docker-in-Docker devcontainer)

Behavior

The plugin install bypasses the deny rules and re-serializes the entire file. The resulting diff shows:

   "sandbox": {
     "enabled": true,
-    "enableWeakerNestedSandbox": true,
     "allowUnsandboxedCommands": false,
     "network": {
       "allowedDomains": [
@@ -56,6 +55,10 @@
         "edgedl.me.gvt1.com",
         "dl.google.com"
       ]
-    }
+    },
+    "enableWeakerNestedSandbox": true
+  },
+  "enabledPlugins": {
+    "ui-ux-pro-max@ui-ux-pro-max-skill": true
   }
 }

The enableWeakerNestedSandbox key was removed from its original position and relocated to the end of the sandbox block. While functionally equivalent in this case, this behavior demonstrates that the plugin install does a full JSON parse-and-reserialize of the entire settings file.

Security concerns

  1. Deny rule bypass: The deny rules exist specifically to prevent modifications to security configuration. Built-in CLI commands like /plugin install should either respect these rules or operate through a separate, scoped mechanism that cannot touch other keys.
  2. Full file rewrite risk: A full JSON re-serialization means any bug in the serialization logic (or a malicious plugin triggering unexpected behavior) could silently alter security-sensitive fields like deny rules, sandbox.enabled, or allowUnsandboxedCommands.
  3. False sense of security: Users who set up deny rules for settings.json reasonably expect the file is protected. The current behavior undermines that assumption.

What Should Happen?

Either:

  • The plugin install respects the deny rules and refuses to modify settings.json, or
  • The plugin install performs a scoped write that only adds/modifies the enabledPlugins key, leaving all other bytes identical

Error Messages/Logs

Steps to Reproduce

  1. Configure .claude/settings.json with deny rules that protect the file from modification:

``json
{
"permissions": {
"deny": [
"Edit(.claude/settings.json)",
"Write(.claude/settings.json)"
]
},
"sandbox": {
"enabled": true,
"enableWeakerNestedSandbox": true,
"allowUnsandboxedCommands": false,
"network": { "..." : "..." }
}
}
``

  1. Commit the file to git so changes are trackable.
  2. Run /plugin marketplace add nextlevelbuilder/ui-ux-pro-max-skill
  3. Run /plugin install ui-ux-pro-max@ui-ux-pro-max-skill
  4. Run git diff .claude/settings.json

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.76

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

VS Code integrated terminal

Additional Information

_No response_

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗