Skill

permission-tuner

Analyzes Claude Code permission denials and generates alwaysAllow/alwaysDeny rules for safe read-only ops like git status/npm test while blocking destructive commands.

Bash

Git

Node

developer-tools

security

npx claudepluginhub rohitg00/pro-workflow --plugin pro-workflow

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Reduce permission prompt fatigue by analyzing denial patterns and suggesting targeted rules.

SKILL.md

Similar Skills

claude-permissions-optimizer

13.2k

Extracts safe Bash commands from Claude Code session history and auto-updates settings.json allowlist to minimize permission prompts.

2 files

compound-engineering

level-4-the-wardens-keys

Configure allow/deny/ask permission rules in .claude/settings.json for Claude Code tools like Bash(git:*), Write, Edit. Builds layered policies with glob patterns for git commands.

claude-code-hero

hooks-permission-request-hook

Generates PermissionRequest hooks that auto-approve safe operations, auto-deny dangerous ones, and tailor rules to detected project stack. Safer alternative to --dangerouslySkipPermissions for manual permission mode.

7 tools

hooks-plugin

Stats

Stars2022

Forks192

Last CommitMar 31, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Permission Tuner

Reduce permission prompt fatigue by analyzing denial patterns and suggesting targeted rules.

Trigger

Use when:

Permission prompts interrupt flow repeatedly
Starting a new project and want to configure permissions
After a session with many manual approvals

Workflow

Scan recent session data for permission patterns
Identify frequently-approved tools and patterns
Generate safe alwaysAllow rules
Present rules for approval before applying

Analysis

Step 1: Gather Permission Data

Check current permission rules:

cat .claude/settings.json 2>/dev/null | grep -A 20 "permissions"
cat ~/.claude/settings.json 2>/dev/null | grep -A 20 "permissions"

Step 2: Identify Safe Patterns

Auto-approve candidates (low risk):

Read — all file reads (read-only, no side effects)
Glob — file pattern matching (read-only)
Grep — content search (read-only)
Bash(git status) — read-only git commands
Bash(git diff*) — read-only git commands
Bash(git log*) — read-only git commands
Bash(npm test*) — test execution
Bash(npm run lint*) — linting
Bash(npm run typecheck*) — type checking

Ask candidates (medium risk — auto-approve only if user confirms):

Edit — file modifications
Write — new file creation
Bash(git add*) — staging changes
Bash(git commit*) — creating commits
Bash(npm install*) — dependency changes

Never auto-approve (high risk):

Bash(git push*) — affects remote
Bash(git reset --hard*) — destructive
Bash(rm -rf*) — destructive
Bash(curl*POST*) — external API calls
Any command with --force or --no-verify

Step 3: Generate Rules

{
  "permissions": {
    "allow": [
      "Read",
      "Glob",
      "Grep",
      "Bash(git status)",
      "Bash(git diff*)",
      "Bash(git log*)",
      "Bash(npm test*)",
      "Bash(npm run lint*)",
      "Bash(npm run typecheck*)"
    ],
    "deny": [
      "Bash(rm -rf *)",
      "Bash(git push --force*)",
      "Bash(git reset --hard*)"
    ]
  }
}

Output

PERMISSION TUNER REPORT

Current rules: [X] allow, [Y] deny, [Z] ask

Recommendations:
  Auto-approve (safe, read-only):
    + Read, Glob, Grep
    + Bash(git status), Bash(git diff*), Bash(git log*)

  Auto-approve (medium risk, frequently used):
    + Edit (approved X times this session)
    + Bash(npm test*) (approved X times)

  Keep asking:
    ~ Bash(git commit*) — verify commit messages
    ~ Write — verify new file creation

  Auto-deny (dangerous):
    - Bash(rm -rf *)
    - Bash(git push --force*)

Estimated prompts saved per session: ~[N]

Rules

Never auto-approve destructive operations
Always present rules for user approval before applying
Group rules by risk level (safe/medium/dangerous)
Include estimated prompt savings