`.claude/skills/` edits prompt for permission despite being documented as exempt (regression in 2.1.79)

[Bkankim]

Summary

Since v2.1.79, editing files under .claude/skills/ triggers a permission prompt ("Do you want to make this edit? / Yes, and allow Claude to edit its own settings for this session"), even though the documentation states .claude/skills/ is exempt from .claude/ directory protection.

Steps to Reproduce

1. Have Edit and Write in permissions.allow in settings.local.json
2. Run Claude Code v2.1.79+ in default permission mode
3. Ask Claude to edit any file under .claude/skills/ (e.g., a skill's SKILL.md or reference file)

Expected: Edit proceeds without prompting (.claude/skills/ is documented as exempt)
Actual: Permission prompt appears with "Yes, and allow Claude to edit its own settings for this session" option

Evidence

Documentation says .claude/skills/ is exempt

From the official docs:

bypassPermissions mode skips permission prompts. Writes to .git, .claude, .vscode, and .idea directories still prompt for confirmation to prevent accidental corruption of repository state and local configuration. Writes to .claude/commands, .claude/agents, and .claude/skills are exempt and do not prompt, because Claude routinely writes there when creating skills, subagents, and commands.

Binary analysis: .claude/skills missing from exemption list

Extracted from all versions (2.1.77–2.1.80), the exemption function only includes .claude/commands and .claude/agents:

// Same across all 4 versions — .claude/skills is NOT listed
function exemptPaths() {
  return [...protectedDirs.filter(d => d !== ".git"), ".claude/commands", ".claude/agents"]
}

v2.1.78 changelog confirms the protection was tightened

Fixed .git, .claude, and other protected directories being writable without a prompt in bypassPermissions mode

This fix in v2.1.78 was scoped to bypassPermissions mode. However, in v2.1.79 the protection appears to have been extended to default mode with allow-list as well (not mentioned in v2.1.79 changelog).

Session log evidence: behavior changed between versions

Version	Mode	.claude/ writes per session	Prompting possible?
2.1.78	default	110	No (impossible to approve 110 individually)
2.1.79	default	max 13	Yes (sharp drop suggests prompting started)

Two Issues

1. Code-docs mismatch: .claude/skills is documented as exempt but is not in the exemption list in code (affects all versions 2.1.77–2.1.80)
2. Regression in 2.1.79: .claude/ protection now applies in default mode with Edit/Write in the allow list, where it previously did not. This is not documented in the 2.1.79 changelog.

Impact

Projects that heavily use custom skills (with files under .claude/skills/) experience frequent permission prompts that block automated workflows. In my case, eval-driven skill development involves dozens of .claude/skills/ file writes per session.

Workaround Attempted

Added Edit(.claude/**) and Write(.claude/**) to the allow list — untested whether this overrides the .claude/ directory protection in 2.1.79+.

Environment

• Claude Code: 2.1.79 / 2.1.80
• Platform: Linux (WSL2)
• Permission mode: default
• Running as: root

[github-actions]

Found 3 possible duplicate issues:

1. Regression: .claude/skills/ writes prompt for confirmation in bypassPermissions mode since 2.1.78 #36396
2. Project-level skills in .claude/skills/ are now uneditable — protection conflicts with core feature design #36155
3. [BUG] v2.1.78: Protected directory prompt in bypassPermissions has no override — forces hacky workarounds #35646

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[Bkankim]

Workaround confirmed: PermissionRequest hook

The Edit(.claude/**) / Write(.claude/**) allow-list approach mentioned in the issue does not work — the hardcoded protected-directory check fires before the allow-list is consulted (separate layer).

What works: PermissionRequest hook

Added to settings.local.json:

{
  "hooks": {
    "PermissionRequest": [
      {
        "matcher": "Edit|Write",
        "hooks": [
          {
            "type": "command",
            "command": "\"$CLAUDE_PROJECT_DIR\"/.claude/hooks/permission-auto-approve.sh",
            "timeout": 3
          }
        ]
      }
    ]
  }
}

Hook script (permission-auto-approve.sh):

#!/usr/bin/env bash
set -uo pipefail
input="$(cat)"
file_path=$(printf '%s' "$input" | jq -r '.tool_input.file_path // empty' 2>/dev/null)

# Auto-approve .claude/ writes except settings files
if [[ -n "$file_path" && "$file_path" == */.claude/* && "$file_path" != */.claude/settings* ]]; then
  printf '{"hookSpecificOutput":{"hookEventName":"PermissionRequest","decision":{"behavior":"allow"}}}'
fi

Test results (20/20)

Main agent — PermissionRequest hook (10/10 PASS):

• .claude/skills/, .claude/hooks/, .claude/rules/, .claude/agents/ — auto-approved
• .claude/settings* — correctly blocked (prompt still appears)
• Regular files — unaffected
• Edge cases (empty path, malformed JSON, deep nesting) — handled safely
• Live test: Edit tool on .claude/skills/ file — no prompt

Sub-agent — Bash writes (10/10 PASS):

• PermissionRequest hooks do not fire for sub-agents
• Workaround: sub-agents use Bash (cat >, sed -i, tee, etc.) instead of Edit/Write
• All .claude/ subdirectories writable via Bash without prompts

Limitations

Scope	Works?	Note
Main agent (CLI terminal)	✅	PermissionRequest hook
Sub-agents	⚠️	Bash only (#23983)
VS Code extension	❌	PermissionRequest hooks don't fire (#35942)
-p (non-interactive) mode	❓	Untested

Credit: approach from #36044 (@echthesia).

[codacolor]

+1 — Hitting this exact issue. I have an umbrella workspace with multiple Areas, each with their own .claude/skills/ directories (e.g., ~/Documents/Antigravity/Areas/YouTube/.claude/skills/foo/SKILL.md).

The /.claude/ path pattern match triggers the protection on every project-level .claude/skills/ edit, not just ~/.claude/. This makes bypass permissions mode unusable for any workflow that programmatically updates skills.

Environment:

• Claude Code v2.1.91
• macOS
• bypassPermissions mode with explicit Edit(.claude/**) and Write(.claude/**) allow rules — neither overrides the hardcoded protection

The two issues as I understand them:

1. The documented .claude/skills/ exemption was never implemented (only commands/ and agents/ are exempted)
2. The protection matches /.claude/ anywhere in the path, so project-level .claude/ dirs get the same treatment as ~/.claude/

Both need to be fixed — even if the skills exemption worked, it still shouldn't be protecting project-level .claude/ directories the same way it protects the root config.

[paulmikulskis]

This issue is preventing the full use of the Skills feature.
There are several types of documents that one might want to update in a collated skill folder, such as JSON state trackers or perhaps other ancillary markdown prompts.

This is blocking significant work and certainly want to stay up-to-date when the bypassPermissions finally actually does indeed bypass permissions.