[BUG] /plugin install bypasses Edit/Write(.claude/settings.json) deny rules and reorders existing settings
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
The /plugin install command modifies .claude/settings.json despite explicit deny rules that should prevent any tool from editing that file. Additionally, it re-serializes the entire JSON file, reordering keys — which could silently alter or drop security-sensitive configuration.
Environment
- Claude Code: 2.1.76
- Node.js: v20.20.1
- OS: Debian GNU/Linux 12 (bookworm) / devcontainer
- Platform: Linux (Docker-in-Docker devcontainer)
Behavior
The plugin install bypasses the deny rules and re-serializes the entire file. The resulting diff shows:
"sandbox": {
"enabled": true,
- "enableWeakerNestedSandbox": true,
"allowUnsandboxedCommands": false,
"network": {
"allowedDomains": [
@@ -56,6 +55,10 @@
"edgedl.me.gvt1.com",
"dl.google.com"
]
- }
+ },
+ "enableWeakerNestedSandbox": true
+ },
+ "enabledPlugins": {
+ "ui-ux-pro-max@ui-ux-pro-max-skill": true
}
}
The enableWeakerNestedSandbox key was removed from its original position and relocated to the end of the sandbox block. While functionally equivalent in this case, this behavior demonstrates that the plugin install does a full JSON parse-and-reserialize of the entire settings file.
Security concerns
- Deny rule bypass: The deny rules exist specifically to prevent modifications to security configuration. Built-in CLI commands like
/plugin installshould either respect these rules or operate through a separate, scoped mechanism that cannot touch other keys. - Full file rewrite risk: A full JSON re-serialization means any bug in the serialization logic (or a malicious plugin triggering unexpected behavior) could silently alter security-sensitive fields like
denyrules,sandbox.enabled, orallowUnsandboxedCommands. - False sense of security: Users who set up deny rules for
settings.jsonreasonably expect the file is protected. The current behavior undermines that assumption.
What Should Happen?
Either:
- The plugin install respects the deny rules and refuses to modify
settings.json, or - The plugin install performs a scoped write that only adds/modifies the
enabledPluginskey, leaving all other bytes identical
Error Messages/Logs
Steps to Reproduce
- Configure
.claude/settings.jsonwith deny rules that protect the file from modification:
``json``
{
"permissions": {
"deny": [
"Edit(.claude/settings.json)",
"Write(.claude/settings.json)"
]
},
"sandbox": {
"enabled": true,
"enableWeakerNestedSandbox": true,
"allowUnsandboxedCommands": false,
"network": { "..." : "..." }
}
}
- Commit the file to git so changes are trackable.
- Run
/plugin marketplace add nextlevelbuilder/ui-ux-pro-max-skill - Run
/plugin install ui-ux-pro-max@ui-ux-pro-max-skill - Run
git diff .claude/settings.json
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.76
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
VS Code integrated terminal
Additional Information
_No response_
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗