Bug Description
The create-marketplace command has unrestricted Bash tool access in its allowed-tools frontmatter, violating the least-privilege security principle documented in the command-development skill.
Steps to Reproduce
- Open
plugins/plugin-dev/commands/create-marketplace.md
- Examine line 4 frontmatter:
allowed-tools: ["Read", "Write", "Grep", "Glob", "Bash", "TodoWrite", "AskUserQuestion", "Skill", "Task"]
- Note that
Bash is unrestricted (no pattern like Bash(mkdir:*))
- Compare with
plugins/plugin-dev/commands/create-plugin.md line 4:
allowed-tools: ["Read", "Write", "Edit", "Grep", "Glob", "Bash(mkdir:*)`, ...]
- Note the inconsistency in Bash restrictions
Expected Behavior
The command should use restricted Bash access following the command-development skill best practice (SKILL.md:469):
"Limit scope: Use Bash(git:*) not Bash(*)"
Since the command only needs mkdir -p commands (lines 131-136 in the command body), the allowed-tools should be:
allowed-tools: ["Read", "Write", "Edit", "Grep", "Glob", "Bash(mkdir:*)", "TodoWrite", "AskUserQuestion", "Skill", "Task"]
Actual Behavior
Bash is unrestricted, meaning Claude could execute any shell command during this workflow without additional permission prompts for the Bash tool category.
Command Used
/plugin-dev:create-marketplace
Environment
- Plugin Version: 0.1.0
- File affected:
plugins/plugin-dev/commands/create-marketplace.md
Security Implications
While Claude is generally well-behaved, the principle of least privilege recommends granting only the minimum permissions necessary:
- Unnecessary capability: The command only needs
mkdir -p for directory creation
- Inconsistency: Sister command
create-plugin.md correctly restricts to Bash(mkdir:*)
- Best practice violation: Contradicts the skill's own documented guidance
Proposed Fix
# Line 4 of create-marketplace.md
# Before:
allowed-tools: ["Read", "Write", "Grep", "Glob", "Bash", "TodoWrite", "AskUserQuestion", "Skill", "Task"]
# After:
allowed-tools: ["Read", "Write", "Edit", "Grep", "Glob", "Bash(mkdir:*)", "TodoWrite", "AskUserQuestion", "Skill", "Task"]
Note: This also adds Edit for consistency with create-plugin.md (related to #105).
Additional Context
This issue was found during a comprehensive review of the plugin commands against documented best practices. While this is not an exploitable vulnerability (Claude still exercises judgment), it's a deviation from the plugin's own documented security best practices and should be corrected for consistency and defense-in-depth.
Bug Description
The
create-marketplacecommand has unrestrictedBashtool access in itsallowed-toolsfrontmatter, violating the least-privilege security principle documented in the command-development skill.Steps to Reproduce
plugins/plugin-dev/commands/create-marketplace.mdBashis unrestricted (no pattern likeBash(mkdir:*))plugins/plugin-dev/commands/create-plugin.mdline 4:Expected Behavior
The command should use restricted Bash access following the command-development skill best practice (SKILL.md:469):
Since the command only needs
mkdir -pcommands (lines 131-136 in the command body), the allowed-tools should be:Actual Behavior
Bashis unrestricted, meaning Claude could execute any shell command during this workflow without additional permission prompts for the Bash tool category.Command Used
/plugin-dev:create-marketplaceEnvironment
plugins/plugin-dev/commands/create-marketplace.mdSecurity Implications
While Claude is generally well-behaved, the principle of least privilege recommends granting only the minimum permissions necessary:
mkdir -pfor directory creationcreate-plugin.mdcorrectly restricts toBash(mkdir:*)Proposed Fix
Note: This also adds
Editfor consistency withcreate-plugin.md(related to #105).Additional Context
This issue was found during a comprehensive review of the plugin commands against documented best practices. While this is not an exploitable vulnerability (Claude still exercises judgment), it's a deviation from the plugin's own documented security best practices and should be corrected for consistency and defense-in-depth.