Rule Reference

SEC489lintai-ai-securitypreviewclaude_settingswarn

Claude settings: shared pnpm dlx Bash permissions

Claude settings permissions allow `Bash(pnpm dlx ...)` in a shared committed config

Provider: lintai-ai-security
Surface: claude_settings
Scope: per_file
Tier: preview
Severity: warn
Confidence: high
Detection: structural
Remediation: message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

previewmembership

claudemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks shared committed Claude settings for exact `Bash(pnpm dlx ...)` mutable package-runner authority.

Deterministic signal basis

ClaudeSettingsSignals exact permission detection for `Bash(pnpm dlx ...)` entries inside permissions.allow.

Malicious corpus

claude-settings-mutable-runner-permissions

Benign corpus

claude-settings-package-runner-specific-safe

structured evidence required remediation reviewed

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC361Claude settings: missing `$schema`Claude settings file is missing a top-level `$schema` referenceclaude_settingspreview

SEC363Claude settings: home-directory hook pathClaude settings hook command uses a home-directory path in a shared committed configclaude_settingspreview

SEC365Claude settings: non-HTTPS allowed HTTP hook URLClaude settings allow non-HTTPS HTTP hook URLs in a shared committed configclaude_settingspreview

SEC366Claude settings: dangerous HTTP hook host literalClaude settings allow dangerous host literals in `allowedHttpHookUrls`claude_settingspreview

SEC368Claude settings: repo-external absolute hook pathClaude settings hook command uses a repo-external absolute path in a shared committed configclaude_settingspreview

SEC381Claude settings: command hook missing `timeout`Claude settings command hook should set `timeout` in a shared committed configclaude_settingspreview

SEC489 / CLAUDE-PNPM-DLX-PERMISSION

SEC489 flags shared Claude settings when permissions.allow grants Bash(pnpm dlx ...).

Why It Matters

pnpm dlx executes packages without requiring a checked-in wrapper or reviewed installation path. In shared Claude settings, that creates a mutable package-runner trust boundary for the whole team.

Trigger Shape

The rule triggers only when all of these are true:

the file is a detected Claude settings surface
the path is not fixture-like
permissions.allow contains a string that starts with Bash(pnpm dlx

Clean Cases

These stay clean:

narrower non-dlx commands such as Bash(pnpm install)
settings without Bash(pnpm dlx ...)
fixture-like examples under test or fixture paths

Example Trigger

json

{
  "permissions": {
    "allow": ["Bash(pnpm dlx cowsay:*)", "Read(*)"]
  }
}

Safer Example

json

{
  "permissions": {
    "allow": ["Bash(pnpm install)", "Read(*)"]
  }
}

How To Fix

Replace shared Bash(pnpm dlx ...) permissions with a pinned wrapper or a narrower reviewed command permission that does not grant mutable package execution by default.

Claude settings: shared pnpm dlx Bash permissions

Preset Membership

Stable Lifecycle Contract

Related Rules

SEC489 / CLAUDE-PNPM-DLX-PERMISSION ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​