security-init

Initialize Claude Code security settings by configuring .claude/settings.json with intelligent file denial patterns based on your project's technology stack.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "security-init" with this command: npx skills add charlesjones-dev/claude-code-plugins-dev/charlesjones-dev-claude-code-plugins-dev-security-init

Security Init

Initialize Claude Code security settings by configuring .claude/settings.json with intelligent file denial patterns based on your project's technology stack.

Instructions

CRITICAL: This command MUST NOT accept any arguments. If the user provided any text, URLs, or paths after this command (e.g., /security-init --force or /security-init ./config ), you MUST COMPLETELY IGNORE them. Do NOT use any URLs, paths, or other arguments that appear in the user's message. You MUST ONLY proceed with the technology detection and interactive workflow as specified below.

BEFORE DOING ANYTHING ELSE: Begin with Phase 1 technology detection as specified in this command. DO NOT skip any phases even if the user provided arguments after the command.

Set up comprehensive security permissions in .claude/settings.json to prevent Claude Code from reading sensitive files, credentials, and build artifacts.

Phase 1: Technology Detection

Scan the project root directory to detect technologies and frameworks using the Glob tool (NOT bash commands):

Node.js Detection:

  • Use Glob to search for: package.json , yarn.lock , pnpm-lock.yaml , bun.lockb

Python Detection:

  • Use Glob to search for: requirements.txt , pyproject.toml , setup.py , Pipfile , poetry.lock , setup.cfg

.NET Detection:

  • Use Glob to search for: *.csproj , *.sln , *.fsproj , *.vbproj , global.json , Directory.Build.props

Go Detection:

  • Use Glob to search for: go.mod , go.sum

Rust Detection:

  • Use Glob to search for: Cargo.toml , Cargo.lock

PHP Detection:

  • Use Glob to search for: composer.json , composer.lock

Ruby Detection:

  • Use Glob to search for: Gemfile , Gemfile.lock

Java Detection:

  • Use Glob to search for: pom.xml , build.gradle , build.gradle.kts , settings.gradle

Docker Detection:

  • Use Glob to search for: Dockerfile , docker-compose.yml , docker-compose.yaml , .dockerignore

Deno Detection:

  • Use Glob to search for: deno.json , deno.jsonc , deno.lock , import_map.json

Swift/iOS Detection:

  • Use Glob to search for: Package.swift , *.xcodeproj , *.xcworkspace , Podfile

Kotlin/Android Detection:

  • Use Glob to search for: build.gradle.kts , settings.gradle.kts , AndroidManifest.xml

Terraform/IaC Detection:

  • Use Glob to search for: *.tf , *.tfvars , terraform.tfstate , .terraform.lock.hcl

Kubernetes Detection:

  • Use Glob to search for: kustomization.yaml , Chart.yaml , values.yaml

IMPORTANT:

  • Use Glob tool only for file detection - DO NOT use bash test commands or any bash commands

  • Only check for file existence - DO NOT read the contents of any files during detection

  • Glob returns matching files or empty array if none found

Phase 2: Build Denial Patterns

Create a comprehensive deny list combining:

Base Security Patterns (Always Include)

Environment Files:

  • Read(.env)

  • Read(**/.env)

  • Read(.env.*)

  • Read(**/.env.*)

  • Read(.env.local)

  • Read(.env.development)

  • Read(.env.production)

  • Read(.env.test)

Version Control & IDE:

  • Read(.git/**)

  • Read(.vscode/**)

  • Read(.idea/**)

  • Read(.devcontainer/**)

  • Read(.github/workflows/**)

CI/CD Secrets:

  • Read(.github/secrets/**)

  • Read(.gitlab-ci-local/**)

Package Manager Auth:

  • Read(.npmrc)

  • Read(.yarnrc.yml)

Deployment Configs:

  • Read(.vercel/**)

  • Read(.netlify/**)

Package Management:

  • Read(node_modules/**)

  • Read(package-lock.json)

Credentials & Secrets:

  • Read(credentials.json)

  • Read(**/credentials.json)

  • Read(secrets.yml)

  • Read(**/secrets.yml)

  • Read(config/secrets.yml)

  • Read(.secret)

  • Read(**/.secret)

  • Read(*.secret)

SSH & Certificate Files:

  • Read(id_rsa)

  • Read(id_rsa.pub)

  • Read(id_ed25519)

  • Read(id_ed25519.pub)

  • Read(*.pem)

  • Read(*.key)

  • Read(*.p12)

  • Read(*.jks)

  • Read(*.pfx)

  • Read(*.keystore)

  • Read(*.cer)

  • Read(*.crt)

Cloud Provider Credentials:

  • Read(.aws/credentials)

  • Read(.aws/config)

  • Read(.gcp/credentials.json)

  • Read(.azure/credentials)

Database Files:

  • Read(*.db)

  • Read(*.sqlite)

  • Read(*.sqlite3)

Technology-Specific Patterns

Python (if detected):

  • Read(.venv/**)

  • Read(venv/**)

  • Read(pycache/**)

  • Read(/pycache/)

  • Read(*.pyc)

  • Read(.pytest_cache/**)

  • Read(.tox/**)

  • Read(dist/**)

  • Read(build/**)

  • Read(*.egg-info/**)

  • Read(.mypy_cache/**)

  • Read(.ruff_cache/**)

.NET (if detected):

  • Read(bin/**)

  • Read(obj/**)

  • Read(*.user)

  • Read(*.suo)

  • Read(.vs/**)

  • Read(*.DotSettings.user)

  • Read(TestResults/**)

  • Read(packages/**)

Go (if detected):

  • Read(vendor/**)

Rust (if detected):

  • Read(target/**)

PHP (if detected):

  • Read(vendor/**)

  • Read(composer.lock)

Ruby (if detected):

  • Read(vendor/bundle/**)

  • Read(.bundle/**)

Java (if detected):

  • Read(target/**)

  • Read(*.class)

  • Read(.gradle/**)

  • Read(build/**)

Node.js (if detected):

  • Read(node_modules/**)

  • Read(.next/**)

  • Read(.nuxt/**)

  • Read(dist/**)

  • Read(build/**)

  • Read(.cache/**)

  • Read(.turbo/**)

Docker (if detected):

  • Read(docker-compose.override.yml)

  • Read(docker-compose.override.yaml)

Deno (if detected):

  • Read(.deno/**)

Swift/iOS (if detected):

  • Read(.build/**)

  • Read(DerivedData/**)

  • Read(Pods/**)

  • Read(*.xcuserdata/**)

Kotlin/Android (if detected):

  • Read(build/**)

  • Read(.gradle/**)

  • Read(local.properties)

Terraform/IaC (if detected):

  • Read(*.tfstate)

  • Read(*.tfstate.backup)

  • Read(.terraform/**)

  • Read(*.tfvars)

Kubernetes/Helm (if detected):

  • Read(**/secrets.yaml)

  • Read(**/secrets.yml)

Phase 3: Check Existing Configuration

Check if .claude/settings.json already exists using the Read tool (NOT bash test commands):

  • Try to read .claude/settings.json using the Read tool

  • If the file exists and Read succeeds:

  • Parse the JSON content

  • Check for existing permissions.deny section

  • Ask user for merge strategy preference using AskUserQuestion tool:

  • Deduplicate (default): Remove duplicate patterns, add only new ones

  • Append: Add all new patterns, keep duplicates

  • Replace: Completely replace existing deny section with new patterns

  • If the file doesn't exist (Read returns error):

  • Proceed to create new file with deny patterns

  • Use "Deduplicate" as the default strategy

IMPORTANT:

  • Use Read tool to check file existence - DO NOT use bash test commands

  • The Read tool will gracefully handle non-existent files by returning an error

  • Parse existing JSON to preserve non-permission settings

Phase 4: Show Preview & Get Confirmation

Display a comprehensive preview showing:

Technologies Detected:

  • List all detected technologies with file indicators

Current Configuration (if exists):

  • Show current deny patterns count

  • Show sample of existing patterns (first 5)

Proposed Changes:

  • Show all new patterns to be added

  • Group by category (Base Security, Python, .NET, etc.)

  • Show total pattern count

After Configuration:

  • Show total pattern count after merge

  • Show merge strategy being used

Ask for user confirmation before proceeding.

Phase 5: Write Configuration

After user confirms:

  • Create .claude/ directory if it doesn't exist using the Bash tool: mkdir -p .claude

  • Write or update settings.json using the Write tool (NOT bash echo or heredoc)

  • Preserve any other existing settings (don't overwrite non-permission settings)

  • Format JSON with proper indentation (2 spaces)

  • Show success message with:

  • File path: .claude/settings.json

  • Total deny patterns configured

  • Technologies covered

IMPORTANT:

  • Use Write tool to create/update the settings file

  • Use Bash tool only for creating the .claude/ directory if needed

  • Ensure proper JSON formatting with 2-space indentation

Important Constraints

DO NOT:

  • Read the contents of any sensitive files during scanning

  • Include file paths from the actual project in the deny list

  • Overwrite other settings in settings.json (preserve everything except permissions.deny)

  • Proceed without user confirmation

  • Use bash test commands (test -f , [ -f ] , etc.) - they trigger permission prompts

  • Use any bash commands for file detection or checking

DO:

  • Use Glob tool for technology detection (file pattern matching)

  • Use Read tool to check if .claude/settings.json exists (handles errors gracefully)

  • Use Write tool to create/update settings.json

  • Use AskUserQuestion tool to ask for merge strategy preference

  • Deduplicate patterns by default during merge

  • Show clear before/after comparison

  • Maintain alphabetical ordering within categories for readability

  • Use forward slashes in all patterns for cross-platform compatibility

Example Output Format

Detecting technologies in your project...

Technologies Detected:

  • Node.js (package.json found)
  • TypeScript (tsconfig.json found)
  • Python (requirements.txt, pyproject.toml found)
  • Docker (Dockerfile, docker-compose.yml found)

Current Configuration: .claude/settings.json exists Current deny patterns: 8

Proposed Security Configuration:

Base Security Patterns (25):

  • Environment files (.env, .env.*)
  • Version control (.git, .vscode, .idea)
  • Credentials (credentials.json, secrets.yml)
  • SSH & certificates (*.pem, *.key, id_rsa)
  • Cloud provider configs (.aws/credentials, .gcp/*)
  • Database files (*.db, *.sqlite)

Node.js Patterns (8):

  • node_modules/**
  • .next/, .nuxt/
  • dist/, build/
  • .cache/, .turbo/

Python Patterns (11):

  • .venv/, venv/
  • pycache/**, *.pyc
  • .pytest_cache/, .tox/
  • dist/**, .egg-info/*

Docker Patterns (2):

  • docker-compose.override.yml

Total new patterns to add: 46 After merge: 54 total patterns

Merge Strategy: Deduplicate (remove duplicates, add only new patterns)

Would you like to proceed with this configuration? (yes/no)

Success Message Format

Security configuration successfully initialized!

Configuration Summary: File: .claude/settings.json Total deny patterns: 54 Technologies covered: Node.js, TypeScript, Python, Docker

IMPORTANT: You must restart Claude Code for these settings to take effect.

After restarting:

  • Claude Code will avoid reading sensitive files, credentials, and build artifacts
  • You can manually edit .claude/settings.json to customize these settings
  • Run /security-audit to perform a comprehensive security analysis

Post-Install Verification

After writing the configuration, verify it was saved correctly:

  • Read .claude/settings.json using the Read tool

  • Parse the JSON and count the permissions.deny entries

  • Verify the count matches the expected total

  • If there's a mismatch, warn the user and show what was expected vs actual

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

security-auditing

No summary provided by upstream source.

Repository SourceNeeds Review
-15
charlesjones-dev
Security

accessibility-auditing

No summary provided by upstream source.

Repository SourceNeeds Review
-13
charlesjones-dev
Security

performance-auditing

No summary provided by upstream source.

Repository SourceNeeds Review
-11
charlesjones-dev