Get the FREE Ultimate OpenClaw Setup Guide →

security-init

Scanned
npx machina-cli add skill charlesjones-dev/claude-code-plugins-dev/security-init --openclaw
Files (1)
SKILL.md
11.1 KB

Security Init

Initialize Claude Code security settings by configuring .claude/settings.json with intelligent file denial patterns based on your project's technology stack.

Instructions

CRITICAL: This command MUST NOT accept any arguments. If the user provided any text, URLs, or paths after this command (e.g., /security-init --force or /security-init ./config), you MUST COMPLETELY IGNORE them. Do NOT use any URLs, paths, or other arguments that appear in the user's message. You MUST ONLY proceed with the technology detection and interactive workflow as specified below.

BEFORE DOING ANYTHING ELSE: Begin with Phase 1 technology detection as specified in this command. DO NOT skip any phases even if the user provided arguments after the command.

Set up comprehensive security permissions in .claude/settings.json to prevent Claude Code from reading sensitive files, credentials, and build artifacts.

Phase 1: Technology Detection

Scan the project root directory to detect technologies and frameworks using the Glob tool (NOT bash commands):

Node.js Detection:

  • Use Glob to search for: package.json, yarn.lock, pnpm-lock.yaml, bun.lockb

Python Detection:

  • Use Glob to search for: requirements.txt, pyproject.toml, setup.py, Pipfile, poetry.lock, setup.cfg

.NET Detection:

  • Use Glob to search for: *.csproj, *.sln, *.fsproj, *.vbproj, global.json, Directory.Build.props

Go Detection:

  • Use Glob to search for: go.mod, go.sum

Rust Detection:

  • Use Glob to search for: Cargo.toml, Cargo.lock

PHP Detection:

  • Use Glob to search for: composer.json, composer.lock

Ruby Detection:

  • Use Glob to search for: Gemfile, Gemfile.lock

Java Detection:

  • Use Glob to search for: pom.xml, build.gradle, build.gradle.kts, settings.gradle

Docker Detection:

  • Use Glob to search for: Dockerfile, docker-compose.yml, docker-compose.yaml, .dockerignore

Deno Detection:

  • Use Glob to search for: deno.json, deno.jsonc, deno.lock, import_map.json

Swift/iOS Detection:

  • Use Glob to search for: Package.swift, *.xcodeproj, *.xcworkspace, Podfile

Kotlin/Android Detection:

  • Use Glob to search for: build.gradle.kts, settings.gradle.kts, AndroidManifest.xml

Terraform/IaC Detection:

  • Use Glob to search for: *.tf, *.tfvars, terraform.tfstate, .terraform.lock.hcl

Kubernetes Detection:

  • Use Glob to search for: kustomization.yaml, Chart.yaml, values.yaml

IMPORTANT:

  • Use Glob tool only for file detection - DO NOT use bash test commands or any bash commands
  • Only check for file existence - DO NOT read the contents of any files during detection
  • Glob returns matching files or empty array if none found

Phase 2: Build Denial Patterns

Create a comprehensive deny list combining:

Base Security Patterns (Always Include)

Environment Files:

  • Read(.env)
  • Read(**/.env)
  • Read(.env.*)
  • Read(**/.env.*)
  • Read(.env.local)
  • Read(.env.development)
  • Read(.env.production)
  • Read(.env.test)

Version Control & IDE:

  • Read(.git/**)
  • Read(.vscode/**)
  • Read(.idea/**)
  • Read(.devcontainer/**)
  • Read(.github/workflows/**)

CI/CD Secrets:

  • Read(.github/secrets/**)
  • Read(.gitlab-ci-local/**)

Package Manager Auth:

  • Read(.npmrc)
  • Read(.yarnrc.yml)

Deployment Configs:

  • Read(.vercel/**)
  • Read(.netlify/**)

Package Management:

  • Read(node_modules/**)
  • Read(package-lock.json)

Credentials & Secrets:

  • Read(credentials.json)
  • Read(**/credentials.json)
  • Read(secrets.yml)
  • Read(**/secrets.yml)
  • Read(config/secrets.yml)
  • Read(.secret)
  • Read(**/.secret)
  • Read(*.secret)

SSH & Certificate Files:

  • Read(id_rsa)
  • Read(id_rsa.pub)
  • Read(id_ed25519)
  • Read(id_ed25519.pub)
  • Read(*.pem)
  • Read(*.key)
  • Read(*.p12)
  • Read(*.jks)
  • Read(*.pfx)
  • Read(*.keystore)
  • Read(*.cer)
  • Read(*.crt)

Cloud Provider Credentials:

  • Read(.aws/credentials)
  • Read(.aws/config)
  • Read(.gcp/credentials.json)
  • Read(.azure/credentials)

Database Files:

  • Read(*.db)
  • Read(*.sqlite)
  • Read(*.sqlite3)

Technology-Specific Patterns

Python (if detected):

  • Read(.venv/**)
  • Read(venv/**)
  • Read(__pycache__/**)
  • Read(**/__pycache__/**)
  • Read(*.pyc)
  • Read(.pytest_cache/**)
  • Read(.tox/**)
  • Read(dist/**)
  • Read(build/**)
  • Read(*.egg-info/**)
  • Read(.mypy_cache/**)
  • Read(.ruff_cache/**)

.NET (if detected):

  • Read(bin/**)
  • Read(obj/**)
  • Read(*.user)
  • Read(*.suo)
  • Read(.vs/**)
  • Read(*.DotSettings.user)
  • Read(TestResults/**)
  • Read(packages/**)

Go (if detected):

  • Read(vendor/**)

Rust (if detected):

  • Read(target/**)

PHP (if detected):

  • Read(vendor/**)
  • Read(composer.lock)

Ruby (if detected):

  • Read(vendor/bundle/**)
  • Read(.bundle/**)

Java (if detected):

  • Read(target/**)
  • Read(*.class)
  • Read(.gradle/**)
  • Read(build/**)

Node.js (if detected):

  • Read(node_modules/**)
  • Read(.next/**)
  • Read(.nuxt/**)
  • Read(dist/**)
  • Read(build/**)
  • Read(.cache/**)
  • Read(.turbo/**)

Docker (if detected):

  • Read(docker-compose.override.yml)
  • Read(docker-compose.override.yaml)

Deno (if detected):

  • Read(.deno/**)

Swift/iOS (if detected):

  • Read(.build/**)
  • Read(DerivedData/**)
  • Read(Pods/**)
  • Read(*.xcuserdata/**)

Kotlin/Android (if detected):

  • Read(build/**)
  • Read(.gradle/**)
  • Read(local.properties)

Terraform/IaC (if detected):

  • Read(*.tfstate)
  • Read(*.tfstate.backup)
  • Read(.terraform/**)
  • Read(*.tfvars)

Kubernetes/Helm (if detected):

  • Read(**/secrets.yaml)
  • Read(**/secrets.yml)

Phase 3: Check Existing Configuration

Check if .claude/settings.json already exists using the Read tool (NOT bash test commands):

  1. Try to read .claude/settings.json using the Read tool
  2. If the file exists and Read succeeds:
    • Parse the JSON content
    • Check for existing permissions.deny section
    • Ask user for merge strategy preference using AskUserQuestion tool:
      • Deduplicate (default): Remove duplicate patterns, add only new ones
      • Append: Add all new patterns, keep duplicates
      • Replace: Completely replace existing deny section with new patterns
  3. If the file doesn't exist (Read returns error):
    • Proceed to create new file with deny patterns
    • Use "Deduplicate" as the default strategy

IMPORTANT:

  • Use Read tool to check file existence - DO NOT use bash test commands
  • The Read tool will gracefully handle non-existent files by returning an error
  • Parse existing JSON to preserve non-permission settings

Phase 4: Show Preview & Get Confirmation

Display a comprehensive preview showing:

  1. Technologies Detected:

    • List all detected technologies with file indicators

  2. Current Configuration (if exists):

    • Show current deny patterns count
    • Show sample of existing patterns (first 5)

  3. Proposed Changes:

    • Show all new patterns to be added
    • Group by category (Base Security, Python, .NET, etc.)
    • Show total pattern count

  4. After Configuration:

    • Show total pattern count after merge
    • Show merge strategy being used

Ask for user confirmation before proceeding.

Phase 5: Write Configuration

After user confirms:

  1. Create .claude/ directory if it doesn't exist using the Bash tool: mkdir -p .claude
  2. Write or update settings.json using the Write tool (NOT bash echo or heredoc)
  3. Preserve any other existing settings (don't overwrite non-permission settings)
  4. Format JSON with proper indentation (2 spaces)
  5. Show success message with:
    • File path: .claude/settings.json
    • Total deny patterns configured
    • Technologies covered

IMPORTANT:

  • Use Write tool to create/update the settings file
  • Use Bash tool only for creating the .claude/ directory if needed
  • Ensure proper JSON formatting with 2-space indentation

Important Constraints

DO NOT:

  • Read the contents of any sensitive files during scanning
  • Include file paths from the actual project in the deny list
  • Overwrite other settings in settings.json (preserve everything except permissions.deny)
  • Proceed without user confirmation
  • Use bash test commands (test -f, [ -f ], etc.) - they trigger permission prompts
  • Use any bash commands for file detection or checking

DO:

  • Use Glob tool for technology detection (file pattern matching)
  • Use Read tool to check if .claude/settings.json exists (handles errors gracefully)
  • Use Write tool to create/update settings.json
  • Use AskUserQuestion tool to ask for merge strategy preference
  • Deduplicate patterns by default during merge
  • Show clear before/after comparison
  • Maintain alphabetical ordering within categories for readability
  • Use forward slashes in all patterns for cross-platform compatibility

Example Output Format

Detecting technologies in your project...

Technologies Detected:
* Node.js (package.json found)
* TypeScript (tsconfig.json found)
* Python (requirements.txt, pyproject.toml found)
* Docker (Dockerfile, docker-compose.yml found)

Current Configuration:
.claude/settings.json exists
Current deny patterns: 8

Proposed Security Configuration:

Base Security Patterns (25):
  - Environment files (.env, .env.*)
  - Version control (.git, .vscode, .idea)
  - Credentials (credentials.json, secrets.yml)
  - SSH & certificates (*.pem, *.key, id_rsa)
  - Cloud provider configs (.aws/credentials, .gcp/*)
  - Database files (*.db, *.sqlite)

Node.js Patterns (8):
  - node_modules/**
  - .next/**, .nuxt/**
  - dist/**, build/**
  - .cache/**, .turbo/**

Python Patterns (11):
  - .venv/**, venv/**
  - __pycache__/**, *.pyc
  - .pytest_cache/**, .tox/**
  - dist/**, *.egg-info/**

Docker Patterns (2):
  - docker-compose.override.yml

Total new patterns to add: 46
After merge: 54 total patterns

Merge Strategy: Deduplicate (remove duplicates, add only new patterns)

Would you like to proceed with this configuration? (yes/no)

Success Message Format

Security configuration successfully initialized!

Configuration Summary:
File: .claude/settings.json
Total deny patterns: 54
Technologies covered: Node.js, TypeScript, Python, Docker

IMPORTANT: You must restart Claude Code for these settings to take effect.

After restarting:
- Claude Code will avoid reading sensitive files, credentials, and build artifacts
- You can manually edit .claude/settings.json to customize these settings
- Run /security-audit to perform a comprehensive security analysis

Post-Install Verification

After writing the configuration, verify it was saved correctly:

  1. Read .claude/settings.json using the Read tool
  2. Parse the JSON and count the permissions.deny entries
  3. Verify the count matches the expected total
  4. If there's a mismatch, warn the user and show what was expected vs actual

Source

git clone https://github.com/charlesjones-dev/claude-code-plugins-dev/blob/main/plugins/ai-security/skills/security-init/SKILL.mdView on GitHub

Overview

Configures .claude/settings.json with intelligent file denial patterns based on your project's tech stack. This helps prevent Claude Code from reading sensitive files, credentials, and build artifacts by applying phase-driven patterns detected via Glob.

How This Skill Works

Phase 1 uses Glob to detect project technologies (Node.js, Python, .NET, Go, etc.) by checking file existence. Phase 2 builds a comprehensive deny list across categories like environment files, VCS/IDE configs, CI/CD secrets, package manager auth, deployment configs, and credentials, then writes the rules to .claude/settings.json to enforce restrictions.

When to Use It

  • When starting security hardening for a new project with Claude Code integration
  • When securing a monorepo or multi-technology repository
  • When preparing Claude Code for use in CI/CD pipelines and automated workflows
  • When you need to protect secrets and credentials in version control
  • When adding new technologies and you want updated denial patterns

Quick Start

  1. Step 1: Run the security-init command without any arguments
  2. Step 2: Review Phase 1 tech detection and Phase 2 proposed deny patterns
  3. Step 3: Save and commit the updated .claude/settings.json to your repo

Best Practices

  • Run Phase 1 detection first and review the detected tech before applying patterns
  • Regularly update .claude/settings.json as new tech is added to the project
  • Keep the settings.json file secure with appropriate file permissions and version control
  • Test the denial patterns by attempting to access common sensitive paths
  • Document changes to the deny patterns for team audit and compliance

Example Use Cases

  • Node.js project with .env and node_modules blocked by Deny patterns
  • Python project with requirements.txt and credentials.json denied from Claude Code access
  • Go microservice in a multi-repo setup with Dockerfile and go.mod protections
  • CI/CD repository with .github/workflows and secrets.yml blocked from Claude Code
  • Docker-based PHP app where composer.json and .dockerignore are protected by deny rules

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers