快速判断
Analyze a repository to generate recommended Claude Code settings.json permissions. Use when setting up a new project, auditing existing settings, or determining which read-only bash commands to allow. Detects tech stack, build tools, and monorepo structure.
适合任务
- 把重复任务整理成可复用的 AI 操作流程。
- 让 AI 在特定场景下按统一规范执行。
- 为团队或个人工作流提供可复制的任务说明。
输入与输出
输入:任务目标、上下文材料、文件路径、约束条件或需要处理的内容。
输出:按 Skill 说明生成的文档、代码、检查结果、计划、建议或操作步骤。
示例任务
- 使用 claude-settings-audit 帮我处理当前任务,并说明执行前需要确认的输入。
- 根据 claude-settings-audit 的说明,给我一个安全的使用步骤清单。
安装方式
- 下载本站提供的 Skill ZIP 并解压。
- 把解压后的 Skill 目录放入当前 AI 工具支持的
skills目录。 - 如需在线查看原始内容,可打开 GitHub 的
SKILL.md。
风险边界
使用前请检查权限、外部依赖和要处理的数据类型。不要把密码、密钥、身份信息或敏感客户资料交给未经确认的 Skill。
SKILL.md 文档介绍
Claude Settings Audit
Analyze this repository and generate recommended Claude Code settings.json permissions for read-only commands.
When to Use
- You are setting up or auditing Claude Code
settings.jsonpermissions for a repository. - You need to infer a safe read-only allow list from the repo's tech stack, tooling, and monorepo structure.
- You want to review or replace an existing Claude permissions baseline with something evidence-based.
Phase 1: Detect Tech Stack
Run these commands to detect the repository structure:
ls -la
find . -maxdepth 2 \( -name "*.toml" -o -name "*.json" -o -name "*.lock" -o -name "*.yaml" -o -name "*.yml" -o -name "Makefile" -o -name "Dockerfile" -o -name "*.tf" \) 2>/dev/null | head -50Check for these indicator files:
| Category | Files to Check |
| ------------ | ------------------------------------------------------------------------------------- |
| Python | pyproject.toml, setup.py, requirements.txt, Pipfile, poetry.lock, uv.lock |
| Node.js | package.json, package-lock.json, yarn.lock, pnpm-lock.yaml |
| Go | go.mod, go.sum |
| Rust | Cargo.toml, Cargo.lock |
| Ruby | Gemfile, Gemfile.lock |
| Java | pom.xml, build.gradle, build.gradle.kts |
| Build | Makefile, Dockerfile, docker-compose.yml |
| Infra | *.tf files, kubernetes/, helm/ |
| Monorepo | lerna.json, nx.json, turbo.json, pnpm-workspace.yaml |
Phase 2: Detect Services
Check for service integrations:
| Service | Detection |
| ---------- | ------------------------------------------------------------------------------- |
| Sentry | sentry-sdk in deps, @sentry/* packages, .sentryclirc, sentry.properties |
| Linear | Linear config files, .linear/ directory |
Read dependency files to identify frameworks:
package.json→ checkdependenciesanddevDependenciespyproject.toml→ check[project.dependencies]or[tool.poetry.dependencies]Gemfile→ check gem namesCargo.toml→ check[dependencies]
Phase 3: Check Existing Settings
cat .claude/settings.json 2>/dev/null || echo "No existing settings"Phase 4: Generate Recommendations
Build the allow list by combining:
Baseline Commands (Always Include)
[
"Bash(ls:*)",
"Bash(pwd:*)",
"Bash(find:*)",
"Bash(file:*)",
"Bash(stat:*)",
"Bash(wc:*)",
"Bash(head:*)",
"Bash(tail:*)",
"Bash(cat:*)",
"Bash(tree:*)",
"Bash(git status:*)",
"Bash(git log:*)",
"Bash(git diff:*)",
"Bash(git show:*)",
"Bash(git branch:*)",
"Bash(git remote:*)",
"Bash(git tag:*)",
"Bash(git stash list:*)",
"Bash(git rev-parse:*)",
"Bash(gh pr view:*)",
"Bash(gh pr list:*)",
"Bash(gh pr checks:*)",
"Bash(gh pr diff:*)",
"Bash(gh issue view:*)",
"Bash(gh issue list:*)",
"Bash(gh run view:*)",
"Bash(gh run list:*)",
"Bash(gh run logs:*)",
"Bash(gh repo view:*)",
"Bash(gh api:*)"
]Stack-Specific Commands
Only include commands for tools actually detected in the project.
Python (if any Python files or config detected)
| If Detected | Add These Commands |
| ---------------------------------- | --------------------------------------- |
| Any Python | python --version, python3 --version |
| poetry.lock | poetry show, poetry env info |
| uv.lock | uv pip list, uv tree |
| Pipfile.lock | pipenv graph |
| requirements.txt (no other lock) | pip list, pip show, pip freeze |
Node.js (if package.json detected)
| If Detected | Add These Commands |
| ---------------------------- | -------------------------------------- |
| Any Node.js | node --version |
| pnpm-lock.yaml | pnpm list, pnpm why |
| yarn.lock | yarn list, yarn info, yarn why |
| package-lock.json | npm list, npm view, npm outdated |
| TypeScript (tsconfig.json) | tsc --version |
Other Languages
| If Detected | Add These Commands |
| -------------- | -------------------------------------------------------------------- |
| go.mod | go version, go list, go mod graph, go env |
| Cargo.toml | rustc --version, cargo --version, cargo tree, cargo metadata |
| Gemfile | ruby --version, bundle list, bundle show |
| pom.xml | java --version, mvn --version, mvn dependency:tree |
| build.gradle | java --version, gradle --version, gradle dependencies |
Build Tools
| If Detected | Add These Commands |
| -------------------- | -------------------------------------------------------------------- |
| Dockerfile | docker --version, docker ps, docker images |
| docker-compose.yml | docker-compose ps, docker-compose config |
| *.tf files | terraform --version, terraform providers, terraform state list |
| Makefile | make --version, make -n |
Skills (for Sentry Projects)
If this is a Sentry project (or sentry-skills plugin is installed), include:
[
"Skill(sentry-skills:agents-md)",
"Skill(sentry-skills:blog-writing-guide)",
"Skill(sentry-skills:brand-guidelines)",
"Skill(sentry-skills:claude-settings-audit)",
"Skill(sentry-skills:code-review)",
"Skill(sentry-skills:code-simplifier)",
"Skill(sentry-skills:commit)",
"Skill(sentry-skills:create-branch)",
"Skill(sentry-skills:create-pr)",
"Skill(sentry-skills:django-access-review)",
"Skill(sentry-skills:django-perf-review)",
"Skill(sentry-skills:doc-coauthoring)",
"Skill(sentry-skills:find-bugs)",
"Skill(sentry-skills:gh-review-requests)",
"Skill(sentry-skills:gha-security-review)",
"Skill(sentry-skills:iterate-pr)",
"Skill(sentry-skills:pr-writer)",
"Skill(sentry-skills:security-review)",
"Skill(sentry-skills:skill-creator)",
"Skill(sentry-skills:skill-scanner)",
"Skill(sentry-skills:skill-writer)",
"Skill(sentry-skills:sred-project-organizer)",
"Skill(sentry-skills:sred-work-summary)"
]WebFetch Domains
Always Include (Sentry Projects)
[
"WebFetch(domain:docs.sentry.io)",
"WebFetch(domain:develop.sentry.dev)",
"WebFetch(domain:docs.github.com)",
"WebFetch(domain:cli.github.com)"
]Framework-Specific
| If Detected | Add Domains |
| -------------- | ----------------------------------------------- |
| Django | docs.djangoproject.com |
| Flask | flask.palletsprojects.com |
| FastAPI | fastapi.tiangolo.com |
| React | react.dev |
| Next.js | nextjs.org |
| Vue | vuejs.org |
| Express | expressjs.com |
| Rails | guides.rubyonrails.org, api.rubyonrails.org |
| Go | pkg.go.dev |
| Rust | docs.rs, doc.rust-lang.org |
| Docker | docs.docker.com |
| Kubernetes | kubernetes.io |
| Terraform | registry.terraform.io |
MCP Server Suggestions
MCP servers are configured in .mcp.json (not settings.json). Check for existing config:
cat .mcp.json 2>/dev/null || echo "No existing .mcp.json"Sentry MCP (if Sentry SDK detected)
Add to .mcp.json (replace {org-slug} and {project-slug} with your Sentry organization and project slugs):
{
"mcpServers": {
"sentry": {
"type": "http",
"url": "https://mcp.sentry.dev/mcp/{org-slug}/{project-slug}"
}
}
}Linear MCP (if Linear usage detected)
Add to .mcp.json:
{
"mcpServers": {
"linear": {
"command": "npx",
"args": ["-y", "@linear/mcp-server"],
"env": {
"LINEAR_API_KEY": "${LINEAR_API_KEY}"
}
}
}
}Note: Never suggest GitHub MCP. Always use gh CLI commands for GitHub.
Output Format
Present your findings as:
1. Summary Table - What was detected
2. Recommended settings.json - Complete JSON ready to copy
3. MCP Suggestions - If applicable
4. Merge Instructions - If existing settings found
Example output structure:
## Detected Tech Stack
| Category | Found |
| --------------- | -------------- |
| Languages | Python 3.x |
| Package Manager | poetry |
| Frameworks | Django, Celery |
| Services | Sentry |
| Build Tools | Docker, Make |
## Recommended .claude/settings.json
\`\`\`json
{
"permissions": {
"allow": [
// ... grouped by category with comments
],
"deny": []
}
}
\`\`\`
## Recommended .mcp.json (if applicable)
If you use Sentry or Linear, add the MCP config to `.mcp.json`...Important Rules
What to Include
- Only READ-ONLY commands that cannot modify state
- Only tools that are actually used by the project (detected via lock files)
- Standard system commands (ls, cat, find, etc.)
- The
:*suffix allows any arguments to the base command
What to NEVER Include
- Absolute paths - Never include user-specific paths like
/home/user/scripts/fooor/Users/name/bin/bar - Custom scripts - Never include project scripts that may have side effects (e.g.,
./scripts/deploy.sh) - Alternative package managers - If the project uses pnpm, do NOT include npm/yarn commands
- Commands that modify state - No install, build, run, write, or delete commands
Package Manager Rules
Only include the package manager actually used by the project:
| If Detected | Include | Do NOT Include |
| ------------------- | --------------- | -------------------------------------- |
| pnpm-lock.yaml | pnpm commands | npm, yarn |
| yarn.lock | yarn commands | npm, pnpm |
| package-lock.json | npm commands | yarn, pnpm |
| poetry.lock | poetry commands | pip (unless also has requirements.txt) |
| uv.lock | uv commands | pip, poetry |
| Pipfile.lock | pipenv commands | pip, poetry |
If multiple lock files exist, include only the commands for each detected manager.
Limitations
- Use this skill only when the task clearly matches the scope described above.
- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.