Rule Reference

SEC405lintai-ai-securitystableclaude_settingswarn

Claude settings: shared package install permissions

Claude settings permissions allow package installation commands in a shared committed config

Provider: lintai-ai-security
Surface: claude_settings
Scope: per_file
Tier: stable
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership

claudemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks shared Claude settings permissions for broad package installation authority.

Deterministic signal basis

ClaudeSettingsSignals exact string-family detection for package installation permissions such as `Bash(pip install)` or `Bash(npm install)` inside permissions.allow on parsed Claude settings JSON.

Malicious corpus

claude-settings-package-install-permission

Benign corpus

claude-settings-bash-specific-safe

structured evidence required remediation reviewed

Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC362Claude settings: wildcard Bash permissionsClaude settings permissions allow `Bash(*)` in a shared committed configclaude_settingsstable

SEC364Claude settings: bypassPermissions default modeClaude settings set `permissions.defaultMode` to `bypassPermissions` in a shared committed configclaude_settingsstable

SEC367Claude settings: wildcard WebFetch permissionsClaude settings permissions allow `WebFetch(*)` in a shared committed configclaude_settingsstable

SEC369Claude settings: wildcard Write permissionsClaude settings permissions allow `Write(*)` in a shared committed configclaude_settingsstable

SEC372Claude settings: wildcard Read permissionsClaude settings permissions allow `Read(*)` in a shared committed configclaude_settingsstable

SEC373Claude settings: wildcard Edit permissionsClaude settings permissions allow `Edit(*)` in a shared committed configclaude_settingsstable

SEC405 / CLAUDE-PACKAGE-INSTALL-PERMISSION

SEC405 flags shared Claude settings when permissions.allow grants direct package installation commands.

Why It Matters

Package installation is a supply-chain mutation step. Granting it directly in shared Claude settings makes dependency installation authority part of the default team policy, which is harder to review and easier to cargo-cult than a narrower reviewed workflow.

Trigger Shape

The rule triggers only when all of these are true:

the file is a detected Claude settings surface
the path is not fixture-like
permissions.allow contains one of these exact tokens:
- Bash(pip install)
- Bash(pip3 install)
- Bash(python -m pip install)
- Bash(yarn install)
- Bash(npm install)
- Bash(pnpm install)
- Bash(bun install)

Clean Cases

These stay clean:

test or lint commands such as Bash(yarn test:*)
settings files that do not grant package installation at all
fixture-like examples under test or fixture paths

Example Trigger

json

{
  "permissions": {
    "allow": ["Bash(pip install)", "Read(*)"]
  }
}

Safer Example

json

{
  "permissions": {
    "allow": ["Bash(yarn test:*)", "Read(*)"]
  }
}

How To Fix

Remove shared package installation permissions or replace them with a narrower reviewed workflow that does not grant blanket package-manager installs in default team config.

Claude settings: shared package install permissions

Preset Membership

Stable Lifecycle Contract

Related Rules

SEC405 / CLAUDE-PACKAGE-INSTALL-PERMISSION ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​