How do I install Claude Settings Audit?

Install Claude Settings Audit with a single command: npx mdskills install getsentry/claude-settings-audit. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Claude Settings Audit?

Claude Settings Audit works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Claude Settings Audit

Name: Claude Settings Audit: AI Agent Skill
Rating: 8 (1 reviews)
Author: getsentry

Verified

SKILL + PLUGINClaude Code PluginsIntermediate

Analyze a repository to generate recommended Claude Code settings.json permissions. Use when setting up a new project, auditing existing settings, or determining which read-only bash commands to allow. Detects tech stack, build tools, and monorepo structure.

by @getsentry0Updated 1 weeks ago

Add this skill

npx mdskills install getsentry/claude-settings-audit

Fork & Edit

Skill Advisor8.0

Comprehensive tech stack detection with systematic permission generation and clear decision rules

+Provides detailed phase-by-phase detection logic with specific file indicators
+Includes strict rules preventing dangerous patterns like absolute paths and state-modifying commands
+Offers complete output format with tables and merge instructions for easy adoption
-Uses broad shell execution and network permissions when detection could be more targeted

SKILL.md

Edit in Browser

1---
2name: claude-settings-audit
3description: Analyze a repository to generate recommended Claude Code settings.json permissions. Use when setting up a new project, auditing existing settings, or determining which read-only bash commands to allow. Detects tech stack, build tools, and monorepo structure.
4---
5 
6# Claude Settings Audit
7 
8Analyze this repository and generate recommended Claude Code `settings.json` permissions for read-only commands.
9 
10## Phase 1: Detect Tech Stack
11 
12Run these commands to detect the repository structure:
13 
14```bash
15ls -la
16find . -maxdepth 2 \( -name "*.toml" -o -name "*.json" -o -name "*.lock" -o -name "*.yaml" -o -name "*.yml" -o -name "Makefile" -o -name "Dockerfile" -o -name "*.tf" \) 2>/dev/null | head -50
17```
18 
19Check for these indicator files:
20 
21| Category     | Files to Check                                                                        |
22| ------------ | ------------------------------------------------------------------------------------- |
23| **Python**   | `pyproject.toml`, `setup.py`, `requirements.txt`, `Pipfile`, `poetry.lock`, `uv.lock` |
24| **Node.js**  | `package.json`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`                    |
25| **Go**       | `go.mod`, `go.sum`                                                                    |
26| **Rust**     | `Cargo.toml`, `Cargo.lock`                                                            |
27| **Ruby**     | `Gemfile`, `Gemfile.lock`                                                             |
28| **Java**     | `pom.xml`, `build.gradle`, `build.gradle.kts`                                         |
29| **Build**    | `Makefile`, `Dockerfile`, `docker-compose.yml`                                        |
30| **Infra**    | `*.tf` files, `kubernetes/`, `helm/`                                                  |
31| **Monorepo** | `lerna.json`, `nx.json`, `turbo.json`, `pnpm-workspace.yaml`                          |
32 
33## Phase 2: Detect Services
34 
35Check for service integrations:
36 
37| Service    | Detection                                                                       |
38| ---------- | ------------------------------------------------------------------------------- |
39| **Sentry** | `sentry-sdk` in deps, `@sentry/*` packages, `.sentryclirc`, `sentry.properties` |
40| **Linear** | Linear config files, `.linear/` directory                                       |
41 
42Read dependency files to identify frameworks:
43 
44- `package.json` → check `dependencies` and `devDependencies`
45- `pyproject.toml` → check `[project.dependencies]` or `[tool.poetry.dependencies]`
46- `Gemfile` → check gem names
47- `Cargo.toml` → check `[dependencies]`
48 
49## Phase 3: Check Existing Settings
50 
51```bash
52cat .claude/settings.json 2>/dev/null || echo "No existing settings"
53```
54 
55## Phase 4: Generate Recommendations
56 
57Build the allow list by combining:
58 
59### Baseline Commands (Always Include)
60 
61```json
62[
63  "Bash(ls:*)",
64  "Bash(pwd:*)",
65  "Bash(find:*)",
66  "Bash(file:*)",
67  "Bash(stat:*)",
68  "Bash(wc:*)",
69  "Bash(head:*)",
70  "Bash(tail:*)",
71  "Bash(cat:*)",
72  "Bash(tree:*)",
73  "Bash(git status:*)",
74  "Bash(git log:*)",
75  "Bash(git diff:*)",
76  "Bash(git show:*)",
77  "Bash(git branch:*)",
78  "Bash(git remote:*)",
79  "Bash(git tag:*)",
80  "Bash(git stash list:*)",
81  "Bash(git rev-parse:*)",
82  "Bash(gh pr view:*)",
83  "Bash(gh pr list:*)",
84  "Bash(gh pr checks:*)",
85  "Bash(gh pr diff:*)",
86  "Bash(gh issue view:*)",
87  "Bash(gh issue list:*)",
88  "Bash(gh run view:*)",
89  "Bash(gh run list:*)",
90  "Bash(gh run logs:*)",
91  "Bash(gh repo view:*)",
92  "Bash(gh api:*)"
93]
94```
95 
96### Stack-Specific Commands
97 
98Only include commands for tools actually detected in the project.
99 
100#### Python (if any Python files or config detected)
101 
102| If Detected                        | Add These Commands                      |
103| ---------------------------------- | --------------------------------------- |
104| Any Python                         | `python --version`, `python3 --version` |
105| `poetry.lock`                      | `poetry show`, `poetry env info`        |
106| `uv.lock`                          | `uv pip list`, `uv tree`                |
107| `Pipfile.lock`                     | `pipenv graph`                          |
108| `requirements.txt` (no other lock) | `pip list`, `pip show`, `pip freeze`    |
109 
110#### Node.js (if package.json detected)
111 
112| If Detected                  | Add These Commands                     |
113| ---------------------------- | -------------------------------------- |
114| Any Node.js                  | `node --version`                       |
115| `pnpm-lock.yaml`             | `pnpm list`, `pnpm why`                |
116| `yarn.lock`                  | `yarn list`, `yarn info`, `yarn why`   |
117| `package-lock.json`          | `npm list`, `npm view`, `npm outdated` |
118| TypeScript (`tsconfig.json`) | `tsc --version`                        |
119 
120#### Other Languages
121 
122| If Detected    | Add These Commands                                                   |
123| -------------- | -------------------------------------------------------------------- |
124| `go.mod`       | `go version`, `go list`, `go mod graph`, `go env`                    |
125| `Cargo.toml`   | `rustc --version`, `cargo --version`, `cargo tree`, `cargo metadata` |
126| `Gemfile`      | `ruby --version`, `bundle list`, `bundle show`                       |
127| `pom.xml`      | `java --version`, `mvn --version`, `mvn dependency:tree`             |
128| `build.gradle` | `java --version`, `gradle --version`, `gradle dependencies`          |
129 
130#### Build Tools
131 
132| If Detected          | Add These Commands                                                   |
133| -------------------- | -------------------------------------------------------------------- |
134| `Dockerfile`         | `docker --version`, `docker ps`, `docker images`                     |
135| `docker-compose.yml` | `docker-compose ps`, `docker-compose config`                         |
136| `*.tf` files         | `terraform --version`, `terraform providers`, `terraform state list` |
137| `Makefile`           | `make --version`, `make -n`                                          |
138 
139### Skills (for Sentry Projects)
140 
141If this is a Sentry project (or sentry-skills plugin is installed), include:
142 
143```json
144[
145  "Skill(sentry-skills:commit)",
146  "Skill(sentry-skills:create-pr)",
147  "Skill(sentry-skills:code-review)",
148  "Skill(sentry-skills:find-bugs)",
149  "Skill(sentry-skills:iterate-pr)",
150  "Skill(sentry-skills:claude-settings-audit)",
151  "Skill(sentry-skills:agents-md)",
152  "Skill(sentry-skills:brand-guidelines)",
153  "Skill(sentry-skills:doc-coauthoring)",
154  "Skill(sentry-skills:security-review)",
155  "Skill(sentry-skills:django-perf-review)",
156  "Skill(sentry-skills:code-simplifier)",
157  "Skill(sentry-skills:skill-creator)",
158  "Skill(sentry-skills:skill-scanner)"
159]
160```
161 
162### WebFetch Domains
163 
164#### Always Include (Sentry Projects)
165 
166```json
167[
168  "WebFetch(domain:docs.sentry.io)",
169  "WebFetch(domain:develop.sentry.dev)",
170  "WebFetch(domain:docs.github.com)",
171  "WebFetch(domain:cli.github.com)"
172]
173```
174 
175#### Framework-Specific
176 
177| If Detected    | Add Domains                                     |
178| -------------- | ----------------------------------------------- |
179| **Django**     | `docs.djangoproject.com`                        |
180| **Flask**      | `flask.palletsprojects.com`                     |
181| **FastAPI**    | `fastapi.tiangolo.com`                          |
182| **React**      | `react.dev`                                     |
183| **Next.js**    | `nextjs.org`                                    |
184| **Vue**        | `vuejs.org`                                     |
185| **Express**    | `expressjs.com`                                 |
186| **Rails**      | `guides.rubyonrails.org`, `api.rubyonrails.org` |
187| **Go**         | `pkg.go.dev`                                    |
188| **Rust**       | `docs.rs`, `doc.rust-lang.org`                  |
189| **Docker**     | `docs.docker.com`                               |
190| **Kubernetes** | `kubernetes.io`                                 |
191| **Terraform**  | `registry.terraform.io`                         |
192 
193### MCP Server Suggestions
194 
195MCP servers are configured in `.mcp.json` (not `settings.json`). Check for existing config:
196 
197```bash
198cat .mcp.json 2>/dev/null || echo "No existing .mcp.json"
199```
200 
201#### Sentry MCP (if Sentry SDK detected)
202 
203Add to `.mcp.json` (replace `{org-slug}` and `{project-slug}` with your Sentry organization and project slugs):
204 
205```json
206{
207  "mcpServers": {
208    "sentry": {
209      "type": "http",
210      "url": "https://mcp.sentry.dev/mcp/{org-slug}/{project-slug}"
211    }
212  }
213}
214```
215 
216#### Linear MCP (if Linear usage detected)
217 
218Add to `.mcp.json`:
219 
220```json
221{
222  "mcpServers": {
223    "linear": {
224      "command": "npx",
225      "args": ["-y", "@linear/mcp-server"],
226      "env": {
227        "LINEAR_API_KEY": "${LINEAR_API_KEY}"
228      }
229    }
230  }
231}
232```
233 
234**Note**: Never suggest GitHub MCP. Always use `gh` CLI commands for GitHub.
235 
236## Output Format
237 
238Present your findings as:
239 
2401. **Summary Table** - What was detected
2412. **Recommended settings.json** - Complete JSON ready to copy
2423. **MCP Suggestions** - If applicable
2434. **Merge Instructions** - If existing settings found
244 
245Example output structure:
246 
247```markdown
248## Detected Tech Stack
249 
250| Category        | Found          |
251| --------------- | -------------- |
252| Languages       | Python 3.x     |
253| Package Manager | poetry         |
254| Frameworks      | Django, Celery |
255| Services        | Sentry         |
256| Build Tools     | Docker, Make   |
257 
258## Recommended .claude/settings.json
259 
260\`\`\`json
261{
262"permissions": {
263"allow": [
264// ... grouped by category with comments
265],
266"deny": []
267}
268}
269\`\`\`
270 
271## Recommended .mcp.json (if applicable)
272 
273If you use Sentry or Linear, add the MCP config to `.mcp.json`...
274```
275 
276## Important Rules
277 
278### What to Include
279 
280- Only READ-ONLY commands that cannot modify state
281- Only tools that are actually used by the project (detected via lock files)
282- Standard system commands (ls, cat, find, etc.)
283- The `:*` suffix allows any arguments to the base command
284 
285### What to NEVER Include
286 
287- **Absolute paths** - Never include user-specific paths like `/home/user/scripts/foo` or `/Users/name/bin/bar`
288- **Custom scripts** - Never include project scripts that may have side effects (e.g., `./scripts/deploy.sh`)
289- **Alternative package managers** - If the project uses pnpm, do NOT include npm/yarn commands
290- **Commands that modify state** - No install, build, run, write, or delete commands
291 
292### Package Manager Rules
293 
294Only include the package manager actually used by the project:
295 
296| If Detected         | Include         | Do NOT Include                         |
297| ------------------- | --------------- | -------------------------------------- |
298| `pnpm-lock.yaml`    | pnpm commands   | npm, yarn                              |
299| `yarn.lock`         | yarn commands   | npm, pnpm                              |
300| `package-lock.json` | npm commands    | yarn, pnpm                             |
301| `poetry.lock`       | poetry commands | pip (unless also has requirements.txt) |
302| `uv.lock`           | uv commands     | pip, poetry                            |
303| `Pipfile.lock`      | pipenv commands | pip, poetry                            |
304 
305If multiple lock files exist, include only the commands for each detected manager.
306

Full transparency — inspect the skill content before installing.