[BUG] ~/.claude/plugins/data/ (CLAUDE_PLUGIN_DATA) triggers protected-directory prompt despite being the framework-designated plugin state directory

Resolved 💬 5 comments Opened Mar 30, 2026 by FrankLedo Closed Jun 11, 2026

Summary

Plugins write their persistent state to ~/.claude/plugins/data/<plugin-name>/ — the path injected by the Claude Code plugin runtime as CLAUDE_PLUGIN_DATA. Every write to this directory (e.g. updating a timestamp, appending to a queue file) triggers the sensitive-file / protected-directory confirmation prompt, even in bypassPermissions mode.

Why this is different from the general bypassPermissions issue

The broader protected-directory problem is tracked in #37157, #39523, and others. This is a more specific gap: ~/.claude/plugins/data/ is not an arbitrary subdirectory of ~/.claude/ — it is the framework-designated write location for plugin state, explicitly injected by the plugin runtime as CLAUDE_PLUGIN_DATA. The runtime itself tells plugins to write here. Blocking writes to it defeats the purpose of the plugin state API.

Analogously: the runtime injects SKILL_SCRIPTS_DIR as the skills read path and CLAUDE_PLUGIN_DATA as the state write path. If the runtime designates a path for writes, the permission system should recognize it as pre-authorized for plugin state I/O.

Steps to reproduce

  1. Install any plugin that writes state (e.g. slack-monitor, tickler)
  2. Run the plugin — it will write to ~/.claude/plugins/data/<plugin-name>/
  3. Observe the sensitive-file confirmation prompt on every write, even with bypassPermissions: true or --dangerously-skip-permissions

Expected behavior

Writes to ~/.claude/plugins/data/ should be automatically permitted — no prompt. The runtime designates this path for plugin state; the permission system should treat it accordingly.

Actual behavior

Every write to ~/.claude/plugins/data/ triggers: "This file is in a sensitive location..." confirmation dialog, blocking background/scheduled plugin cycles.

Workaround attempted

A PreToolUse hook outputting {"decision": "allow"} for paths matching ~/.claude/plugins/data/* does not suppress the prompt — the protected-directory check runs at a different layer than PreToolUse hooks.

Related issues

  • #37157 — .claude/skills/ not exempt from protected-directory prompt
  • #39523 — [META] bypassPermissions fundamentally broken
  • #38598 — Feature: allow opt-out via settings.json
  • #36396 — Regression since 2.1.78

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗