Get the FREE Ultimate OpenClaw Setup Guide →

permission-patterns

Scanned
npx machina-cli add skill JacobPEvans/ai-assistant-instructions/permission-patterns --openclaw
Files (1)
SKILL.md
3.4 KB

Permission Patterns

<!-- markdownlint-disable-file MD013 -->

Unified patterns for permission safety classification and deduplication. Use these rules to evaluate permissions consistently.

Safety Classification

Classification rules for evaluating permission safety. Use these criteria to categorize permissions consistently.

Classification Rules

ALLOW - Read-Only and Safe Operations

Keywords: list, ls, show, info, view, get, describe, inspect, status, doctor, ping, check, --version, --help

Safe domains: github.com, docker.com, kubernetes.io, python.org, npmjs.com, official documentation sites

ASK - Modifications and Risky Operations

Keywords: update, set, edit, patch, modify, apply, rm, delete, remove, prune, clean, exec, run, eval, push, publish, deploy, kill, stop

Requires user confirmation before execution.

DENY - Irreversible Damage or Security Bypass

Keywords: sudo, chmod 777, dd, file patterns like **/.env, **/*_rsa, **/*.key, **/*secret*

Local addresses: localhost, 127.0.0.1, private IP ranges

Decision Criteria

  1. Read-only query + no secrets → ALLOW
  2. Modifies resources + reversible → ASK
  3. Irreversible or security risk → DENY
  4. Uncertain → ASK (conservative default)

Domain Coverage

Claude Code's WebFetch(domain:X) uses exact host matching — subdomains are NOT covered by a root domain entry:

  • github.com does NOT cover api.github.com or docs.github.com — each needs its own entry
  • github.io does NOT cover github.github.io — separate entry required
  • githubusercontent.com and raw.githubusercontent.com are separate entries (different hostnames)
  • localhost is separate from localhost:3000 (ports are distinct)

Each hostname that needs to be fetched must be listed explicitly.

Local/private addresses always DENY:

  • localhost, 127.0.0.1, 192.168.x.x, 10.x.x.x ranges

Pattern Deduplication

Rules for detecting when a specific permission is already covered by a broader existing pattern.

Coverage Rules

WebFetch Domains

Each hostname must be listed exactly — there is no wildcard or subdomain coverage. Ports are also distinct:

  • localhost does NOT cover localhost:3000

File Paths

Broader wildcards cover more specific patterns:

  • Read(**) covers any Read permission
  • Glob(**/*) covers Glob(**/*.js), Glob(**/package.json)

Hostname Recommendations

Since WebFetch uses exact host matching, list each hostname explicitly. When multiple hostnames share a common vendor, add all needed hostnames individually rather than assuming a root domain covers them.

Related Permission Suggestions

When discovering a safe permission, suggest related safe commands in the same family:

  • docker volume ls → suggest docker volume inspect
  • aws s3 ls → suggest aws s3 sync --dryrun
  • npm list → suggest npm outdated, npm audit

Commands Using This Skill

  • permissions-analyzer agent - Uses classification and deduplication to filter permissions during discovery
  • /sync-permissions command - Indirectly uses this skill through the permissions-analyzer agent

Source

git clone https://github.com/JacobPEvans/ai-assistant-instructions/blob/main/agentsmd/skills/permission-patterns/SKILL.mdView on GitHub

Overview

Permission Patterns provides a unified framework to classify tool permissions into ALLOW, ASK, or DENY based on keywords, domains, and risk. It also defines deduplication rules to ensure permissions are managed consistently, avoiding overlap across explicit hostnames and file paths.

How This Skill Works

Classification uses keyword cues and domain checks to categorize permissions: ALLOW for read-only queries; ASK for modifications; DENY for irreversible or risky items. Deduplication uses coverage rules such as Read(**) for broad read permissions and explicit host entries for WebFetch domains; local addresses are always DENY and hostnames must be exact.

When to Use It

  • Auditing and discovering AI tool permissions during onboarding or policy reviews.
  • Before approving changes that modify resources or deploy actions.
  • Deduplicating overlapping permissions across multiple hosts or paths.
  • Assessing dangerous or sensitive permissions like env files or private keys.
  • Aligning permissions with explicit hostnames and avoiding wildcard coverage.

Quick Start

  1. Step 1: Identify the permission request and its target host, path, or action.
  2. Step 2: Apply classification rules using keywords and domain checks to assign ALLOW, ASK, or DENY.
  3. Step 3: Run deduplication by applying coverage rules and listing explicit hostnames; finalize the least-privilege set.

Best Practices

  • Classify read-only permissions as ALLOW when no secrets are exposed.
  • List each hostname explicitly for WebFetch; subdomains are not covered by root domains.
  • Prefer ASK for any operation that could modify resources or affect security.
  • Use narrow patterns instead of broad wildcards unless a broad Read or Glob is truly intended.
  • When discovering a safe permission, suggest related safe commands in the same family.

Example Use Cases

  • A tool requests list on github.com; classified as ALLOW.
  • A tool requests update on a service; requires ASK before execution.
  • A permission includes sudo or secret file patterns like **/.env or **/*.key; DENY.
  • WebFetch entries for api.github.com and docs.github.com are listed separately rather than a single github.com entry.
  • Read(**) is used to cover all Read permissions across resources.

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers