claude-permissions-optimizer
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Accesses highly sensitive local files including global configuration (
/.claude/settings.json) and session history transcripts located in the projects directory (/.claude/projects/). - [COMMAND_EXECUTION]: Executes a local Node.js script (extract-commands.mjs) to parse history and uses dynamic shell execution (node -e) to validate JSON structure after modifying settings.
- [PROMPT_INJECTION]: Vulnerable to indirect prompt injection as it processes untrusted data from previous session transcripts to generate recommendations for the agent's security allowlist.
- [PROMPT_INJECTION]: Indirect injection evidence chain:
- Ingestion points: Session history files (.jsonl) in the ~/.claude/projects/ directory.
- Boundary markers: No delimiters or boundary markers are used to separate untrusted transcript content during processing.
- Capability inventory: Modifies the agent's permission allowlist in global and local settings.json files.
- Sanitization: Implements a multi-tier classification logic (green/yellow/red) in the extraction script to filter commands using whitelists and destructive flag blacklists.
Audit Metadata