Rule Reference

SEC405lintai-ai-securitygovernancehardeningstableclaude_settingswarn

Claude settings: shared package install permissions

Claude settings permissions allow package installation commands in a shared committed config

Public lane: governance
Category: hardening
Provider: lintai-ai-security
Scope: per-file
Surface: claude_settings
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message only

How to read this lane

Shared authority and workflow policy review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

governancesidecar lane

claudesurface preset

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks shared Claude settings permissions for broad package installation authority.

Deterministic signal basis

ClaudeSettingsSignals exact string-family detection for package installation permissions such as `Bash(pip install)` or `Bash(npm install)` inside permissions.allow on parsed Claude settings JSON.

Malicious corpus

claude-settings-package-install-permission

Benign corpus

claude-settings-bash-specific-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC362Claude settings: wildcard Bash permissionsClaude settings permissions allow `Bash(*)` in a shared committed configgovernancehardeningclaude_settings

SEC364Claude settings: bypassPermissions default modeClaude settings set `permissions.defaultMode` to `bypassPermissions` in a shared committed configgovernancehardeningclaude_settings

SEC367Claude settings: wildcard WebFetch permissionsClaude settings permissions allow `WebFetch(*)` in a shared committed configgovernancehardeningclaude_settings

SEC369Claude settings: wildcard Write permissionsClaude settings permissions allow `Write(*)` in a shared committed configgovernancehardeningclaude_settings

SEC372Claude settings: wildcard Read permissionsClaude settings permissions allow `Read(*)` in a shared committed configgovernancehardeningclaude_settings

SEC373Claude settings: wildcard Edit permissionsClaude settings permissions allow `Edit(*)` in a shared committed configgovernancehardeningclaude_settings

SEC405 / CLAUDE-PACKAGE-INSTALL-PERMISSION

SEC405 flags shared Claude settings when permissions.allow grants direct package installation commands.

Why It Matters

Package installation is a supply-chain mutation step. Granting it directly in shared Claude settings makes dependency installation authority part of the default team policy, which is harder to review and easier to cargo-cult than a narrower reviewed workflow.

Trigger Shape

The rule triggers only when all of these are true:

the file is a detected Claude settings surface
the path is not fixture-like
permissions.allow contains one of these exact tokens:
- Bash(pip install)
- Bash(pip3 install)
- Bash(python -m pip install)
- Bash(yarn install)
- Bash(npm install)
- Bash(pnpm install)
- Bash(bun install)

Clean Cases

These stay clean:

test or lint commands such as Bash(yarn test:*)
settings files that do not grant package installation at all
fixture-like examples under test or fixture paths

Example Trigger

json

{
  "permissions": {
    "allow": ["Bash(pip install)", "Read(*)"]
  }
}

Safer Example

json

{
  "permissions": {
    "allow": ["Bash(yarn test:*)", "Read(*)"]
  }
}

How To Fix

Remove shared package installation permissions or replace them with a narrower reviewed workflow that does not grant blanket package-manager installs in default team config.

Claude settings: shared package install permissions

Preset Activation

Stable Lifecycle Contract

Related Rules

SEC405 / CLAUDE-PACKAGE-INSTALL-PERMISSION ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​