Skill

claude-settings-audit

Analyzes repositories to recommend Claude Code settings.json permissions by detecting tech stack, build tools, monorepo structure, and services. Use for new project setup, audits, or read-only bash allowlists.

Bash

developer-tools

security

npx claudepluginhub sickn33/antigravity-awesome-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Analyze this repository and generate recommended Claude Code `settings.json` permissions for read-only commands.

SKILL.md

Similar Skills

claude-settings-audit

494

Analyzes repo to recommend Claude Code settings.json permissions. Detects tech stacks, build tools, monorepos, services; suggests read-only bash commands for new projects or audits.

sentry-skills

project-health

689

Sets up Claude Code projects with config files and audits existing ones for permissions, context quality, MCP coverage, leaked secrets, stale docs, and cruft. Uses sub-agents for analysis.

5 files

dev-tools

settings-configuration

Explains Claude Code settings hierarchy, permission wildcards, allow/deny patterns, and tool configurations. Use for setting up project permissions, debugging access issues, or understanding tool blocks.

7 tools

health-plugin

Stats

Stars36383

Forks5961

Last CommitApr 13, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Claude Settings Audit

Analyze this repository and generate recommended Claude Code settings.json permissions for read-only commands.

When to Use

You are setting up or auditing Claude Code settings.json permissions for a repository.
You need to infer a safe read-only allow list from the repo's tech stack, tooling, and monorepo structure.
You want to review or replace an existing Claude permissions baseline with something evidence-based.

Phase 1: Detect Tech Stack

Run these commands to detect the repository structure:

ls -la
find . -maxdepth 2 \( -name "*.toml" -o -name "*.json" -o -name "*.lock" -o -name "*.yaml" -o -name "*.yml" -o -name "Makefile" -o -name "Dockerfile" -o -name "*.tf" \) 2>/dev/null | head -50

Check for these indicator files:

Category	Files to Check
Python	`pyproject.toml`, `setup.py`, `requirements.txt`, `Pipfile`, `poetry.lock`, `uv.lock`
Node.js	`package.json`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`
Go	`go.mod`, `go.sum`
Rust	`Cargo.toml`, `Cargo.lock`
Ruby	`Gemfile`, `Gemfile.lock`
Java	`pom.xml`, `build.gradle`, `build.gradle.kts`
Build	`Makefile`, `Dockerfile`, `docker-compose.yml`
Infra	`*.tf` files, `kubernetes/`, `helm/`
Monorepo	`lerna.json`, `nx.json`, `turbo.json`, `pnpm-workspace.yaml`

Phase 2: Detect Services

Check for service integrations:

Service	Detection
Sentry	`sentry-sdk` in deps, `@sentry/*` packages, `.sentryclirc`, `sentry.properties`
Linear	Linear config files, `.linear/` directory

Read dependency files to identify frameworks:

package.json → check dependencies and devDependencies
pyproject.toml → check [project.dependencies] or [tool.poetry.dependencies]
Gemfile → check gem names
Cargo.toml → check [dependencies]

Phase 3: Check Existing Settings

cat .claude/settings.json 2>/dev/null || echo "No existing settings"

Phase 4: Generate Recommendations

Build the allow list by combining:

Baseline Commands (Always Include)

[
  "Bash(ls:*)",
  "Bash(pwd:*)",
  "Bash(find:*)",
  "Bash(file:*)",
  "Bash(stat:*)",
  "Bash(wc:*)",
  "Bash(head:*)",
  "Bash(tail:*)",
  "Bash(cat:*)",
  "Bash(tree:*)",
  "Bash(git status:*)",
  "Bash(git log:*)",
  "Bash(git diff:*)",
  "Bash(git show:*)",
  "Bash(git branch:*)",
  "Bash(git remote:*)",
  "Bash(git tag:*)",
  "Bash(git stash list:*)",
  "Bash(git rev-parse:*)",
  "Bash(gh pr view:*)",
  "Bash(gh pr list:*)",
  "Bash(gh pr checks:*)",
  "Bash(gh pr diff:*)",
  "Bash(gh issue view:*)",
  "Bash(gh issue list:*)",
  "Bash(gh run view:*)",
  "Bash(gh run list:*)",
  "Bash(gh run logs:*)",
  "Bash(gh repo view:*)",
  "Bash(gh api:*)"
]

Stack-Specific Commands

Only include commands for tools actually detected in the project.

Python (if any Python files or config detected)

If Detected	Add These Commands
Any Python	`python --version`, `python3 --version`
`poetry.lock`	`poetry show`, `poetry env info`
`uv.lock`	`uv pip list`, `uv tree`
`Pipfile.lock`	`pipenv graph`
`requirements.txt` (no other lock)	`pip list`, `pip show`, `pip freeze`

Node.js (if package.json detected)

If Detected	Add These Commands
Any Node.js	`node --version`
`pnpm-lock.yaml`	`pnpm list`, `pnpm why`
`yarn.lock`	`yarn list`, `yarn info`, `yarn why`
`package-lock.json`	`npm list`, `npm view`, `npm outdated`
TypeScript (`tsconfig.json`)	`tsc --version`

Other Languages

If Detected	Add These Commands
`go.mod`	`go version`, `go list`, `go mod graph`, `go env`
`Cargo.toml`	`rustc --version`, `cargo --version`, `cargo tree`, `cargo metadata`
`Gemfile`	`ruby --version`, `bundle list`, `bundle show`
`pom.xml`	`java --version`, `mvn --version`, `mvn dependency:tree`
`build.gradle`	`java --version`, `gradle --version`, `gradle dependencies`

Build Tools

If Detected	Add These Commands
`Dockerfile`	`docker --version`, `docker ps`, `docker images`
`docker-compose.yml`	`docker-compose ps`, `docker-compose config`
`*.tf` files	`terraform --version`, `terraform providers`, `terraform state list`
`Makefile`	`make --version`, `make -n`

Skills (for Sentry Projects)

If this is a Sentry project (or sentry-skills plugin is installed), include:

[
  "Skill(sentry-skills:agents-md)",
  "Skill(sentry-skills:blog-writing-guide)",
  "Skill(sentry-skills:brand-guidelines)",
  "Skill(sentry-skills:claude-settings-audit)",
  "Skill(sentry-skills:code-review)",
  "Skill(sentry-skills:code-simplifier)",
  "Skill(sentry-skills:commit)",
  "Skill(sentry-skills:create-branch)",
  "Skill(sentry-skills:create-pr)",
  "Skill(sentry-skills:django-access-review)",
  "Skill(sentry-skills:django-perf-review)",
  "Skill(sentry-skills:doc-coauthoring)",
  "Skill(sentry-skills:find-bugs)",
  "Skill(sentry-skills:gh-review-requests)",
  "Skill(sentry-skills:gha-security-review)",
  "Skill(sentry-skills:iterate-pr)",
  "Skill(sentry-skills:pr-writer)",
  "Skill(sentry-skills:security-review)",
  "Skill(sentry-skills:skill-creator)",
  "Skill(sentry-skills:skill-scanner)",
  "Skill(sentry-skills:skill-writer)",
  "Skill(sentry-skills:sred-project-organizer)",
  "Skill(sentry-skills:sred-work-summary)"
]

WebFetch Domains

Always Include (Sentry Projects)

[
  "WebFetch(domain:docs.sentry.io)",
  "WebFetch(domain:develop.sentry.dev)",
  "WebFetch(domain:docs.github.com)",
  "WebFetch(domain:cli.github.com)"
]

Framework-Specific

If Detected	Add Domains
Django	`docs.djangoproject.com`
Flask	`flask.palletsprojects.com`
FastAPI	`fastapi.tiangolo.com`
React	`react.dev`
Next.js	`nextjs.org`
Vue	`vuejs.org`
Express	`expressjs.com`
Rails	`guides.rubyonrails.org`, `api.rubyonrails.org`
Go	`pkg.go.dev`
Rust	`docs.rs`, `doc.rust-lang.org`
Docker	`docs.docker.com`
Kubernetes	`kubernetes.io`
Terraform	`registry.terraform.io`

MCP Server Suggestions

MCP servers are configured in .mcp.json (not settings.json). Check for existing config:

cat .mcp.json 2>/dev/null || echo "No existing .mcp.json"

Sentry MCP (if Sentry SDK detected)

Add to .mcp.json (replace {org-slug} and {project-slug} with your Sentry organization and project slugs):

{
  "mcpServers": {
    "sentry": {
      "type": "http",
      "url": "https://mcp.sentry.dev/mcp/{org-slug}/{project-slug}"
    }
  }
}

Linear MCP (if Linear usage detected)

Add to .mcp.json:

{
  "mcpServers": {
    "linear": {
      "command": "npx",
      "args": ["-y", "@linear/mcp-server"],
      "env": {
        "LINEAR_API_KEY": "${LINEAR_API_KEY}"
      }
    }
  }
}

Note: Never suggest GitHub MCP. Always use gh CLI commands for GitHub.

Output Format

Present your findings as:

Summary Table - What was detected
Recommended settings.json - Complete JSON ready to copy
MCP Suggestions - If applicable
Merge Instructions - If existing settings found

Example output structure:

## Detected Tech Stack

| Category        | Found          |
| --------------- | -------------- |
| Languages       | Python 3.x     |
| Package Manager | poetry         |
| Frameworks      | Django, Celery |
| Services        | Sentry         |
| Build Tools     | Docker, Make   |

## Recommended .claude/settings.json

\`\`\`json
{
"permissions": {
"allow": [
// ... grouped by category with comments
],
"deny": []
}
}
\`\`\`

## Recommended .mcp.json (if applicable)

If you use Sentry or Linear, add the MCP config to `.mcp.json`...

Important Rules

What to Include

Only READ-ONLY commands that cannot modify state
Only tools that are actually used by the project (detected via lock files)
Standard system commands (ls, cat, find, etc.)
The :* suffix allows any arguments to the base command

What to NEVER Include

Absolute paths - Never include user-specific paths like /home/user/scripts/foo or /Users/name/bin/bar
Custom scripts - Never include project scripts that may have side effects (e.g., ./scripts/deploy.sh)
Alternative package managers - If the project uses pnpm, do NOT include npm/yarn commands
Commands that modify state - No install, build, run, write, or delete commands

Package Manager Rules

Only include the package manager actually used by the project:

If Detected	Include	Do NOT Include
`pnpm-lock.yaml`	pnpm commands	npm, yarn
`yarn.lock`	yarn commands	npm, pnpm
`package-lock.json`	npm commands	yarn, pnpm
`poetry.lock`	poetry commands	pip (unless also has requirements.txt)
`uv.lock`	uv commands	pip, poetry
`Pipfile.lock`	pipenv commands	pip, poetry

If multiple lock files exist, include only the commands for each detected manager.

Limitations

Use this skill only when the task clearly matches the scope described above.
Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.