[BUG] ~/.claude/plugins/data/ (CLAUDE_PLUGIN_DATA) triggers protected-directory prompt despite being the framework-designated plugin state directory
Summary
Plugins write their persistent state to ~/.claude/plugins/data/<plugin-name>/ — the path injected by the Claude Code plugin runtime as CLAUDE_PLUGIN_DATA. Every write to this directory (e.g. updating a timestamp, appending to a queue file) triggers the sensitive-file / protected-directory confirmation prompt, even in bypassPermissions mode.
Why this is different from the general bypassPermissions issue
The broader protected-directory problem is tracked in #37157, #39523, and others. This is a more specific gap: ~/.claude/plugins/data/ is not an arbitrary subdirectory of ~/.claude/ — it is the framework-designated write location for plugin state, explicitly injected by the plugin runtime as CLAUDE_PLUGIN_DATA. The runtime itself tells plugins to write here. Blocking writes to it defeats the purpose of the plugin state API.
Analogously: the runtime injects SKILL_SCRIPTS_DIR as the skills read path and CLAUDE_PLUGIN_DATA as the state write path. If the runtime designates a path for writes, the permission system should recognize it as pre-authorized for plugin state I/O.
Steps to reproduce
- Install any plugin that writes state (e.g. slack-monitor, tickler)
- Run the plugin — it will write to
~/.claude/plugins/data/<plugin-name>/ - Observe the sensitive-file confirmation prompt on every write, even with
bypassPermissions: trueor--dangerously-skip-permissions
Expected behavior
Writes to ~/.claude/plugins/data/ should be automatically permitted — no prompt. The runtime designates this path for plugin state; the permission system should treat it accordingly.
Actual behavior
Every write to ~/.claude/plugins/data/ triggers: "This file is in a sensitive location..." confirmation dialog, blocking background/scheduled plugin cycles.
Workaround attempted
A PreToolUse hook outputting {"decision": "allow"} for paths matching ~/.claude/plugins/data/* does not suppress the prompt — the protected-directory check runs at a different layer than PreToolUse hooks.
Related issues
- #37157 —
.claude/skills/not exempt from protected-directory prompt - #39523 — [META] bypassPermissions fundamentally broken
- #38598 — Feature: allow opt-out via settings.json
- #36396 — Regression since 2.1.78
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗