You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been using the /graphify skill inside Claude Code (desktop app) and hit a persistent UX problem: almost every step in the pipeline prompts for permission, even after correctly configuring .claude/settings.local.json with allowlist entries.
What I tried first
The skill executes Python via $(cat graphify-out/.graphify_python) -c "...". I added the following to my project's .claude/settings.local.json:
This didn't work. After investigation, I found two issues:
$ and () are likely treated as special characters (regex/glob metacharacters) in Claude Code's pattern matching engine — the pattern silently fails to match.
Standard glob * may not match newlines, and the multiline -c "..." blocks span multiple lines.
Fix attempt 1: resolved interpreter path
Replaced the $(cat ...) pattern with the actual resolved path:
This got past the basic allowlist check — but prompts still appeared. Reason: Claude Code has security-level checks that run above the allowlist layer and cannot be suppressed by any allowlist entry.
The security checks that fire
Two distinct heuristics were observed:
\n# check — fires when a Python comment (# ...) follows a newline inside a -c "..." or heredoc argument:
"Newline followed by # inside a quoted argument can hide arguments from path validation"
Brace-quote check — fires on Python f-strings with dict access like {len(result["nodes"])}:
"Contains brace with quote character (expansion obfuscation)"
Both checks scan the entire command string, including heredoc bodies — switching from -c "..." to << 'EOF' heredoc syntax doesn't help. The heuristics can't distinguish Python f-string syntax from shell expansion obfuscation tricks like ${IFS}rm${IFS}-rf.
Result: Every step that contains either a # comment or a dict-access f-string will always prompt, regardless of any allowlist configuration.
Proposed fix: scripts/pipeline.py
If the skill's inline Python blocks were extracted into a versioned script at ~/.claude/skills/graphify/scripts/pipeline.py, invocations would become:
No inline code in the command string → no heuristic triggers → zero prompts after initial setup.
Questions for the maintainer
Is there some way of avoiding these many prompts when running graphify claude skill? Am I missing something?
Is there a reason the skill uses inline -c "..." blocks instead of a bundled script? (Portability? Avoiding a separate install step?)
Is a scripts/pipeline.py approach on the roadmap, or would a PR be welcome?
Has this been tested with Cursor or OpenCode? Do those tools have similar security heuristics that would trigger on the same patterns? Would be useful to know if this is a Claude Code-specific problem or a general agentic-tool concern.
P.S.
I have not validated the internals of claude code. Those are mostly generated by claude based on my trial of getting the skill to run headless inside claude. Nevertheless the observations on how claude code ignored the allowlist entries are original.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Background
I've been using the
/graphifyskill inside Claude Code (desktop app) and hit a persistent UX problem: almost every step in the pipeline prompts for permission, even after correctly configuring.claude/settings.local.jsonwith allowlist entries.What I tried first
The skill executes Python via
$(cat graphify-out/.graphify_python) -c "...". I added the following to my project's.claude/settings.local.json:This didn't work. After investigation, I found two issues:
$and()are likely treated as special characters (regex/glob metacharacters) in Claude Code's pattern matching engine — the pattern silently fails to match.*may not match newlines, and the multiline-c "..."blocks span multiple lines.Fix attempt 1: resolved interpreter path
Replaced the
$(cat ...)pattern with the actual resolved path:This got past the basic allowlist check — but prompts still appeared. Reason: Claude Code has security-level checks that run above the allowlist layer and cannot be suppressed by any allowlist entry.
The security checks that fire
Two distinct heuristics were observed:
\n#check — fires when a Python comment (# ...) follows a newline inside a-c "..."or heredoc argument:Brace-quote check — fires on Python f-strings with dict access like
{len(result["nodes"])}:Both checks scan the entire command string, including heredoc bodies — switching from
-c "..."to<< 'EOF'heredoc syntax doesn't help. The heuristics can't distinguish Python f-string syntax from shell expansion obfuscation tricks like${IFS}rm${IFS}-rf.Result: Every step that contains either a
#comment or a dict-access f-string will always prompt, regardless of any allowlist configuration.Proposed fix:
scripts/pipeline.pyIf the skill's inline Python blocks were extracted into a versioned script at
~/.claude/skills/graphify/scripts/pipeline.py, invocations would become:The allowlist entry would be a single static pattern:
No inline code in the command string → no heuristic triggers → zero prompts after initial setup.
Questions for the maintainer
-c "..."blocks instead of a bundled script? (Portability? Avoiding a separate install step?)scripts/pipeline.pyapproach on the roadmap, or would a PR be welcome?P.S.
I have not validated the internals of claude code. Those are mostly generated by claude based on my trial of getting the skill to run headless inside claude. Nevertheless the observations on how claude code ignored the allowlist entries are original.
Beta Was this translation helpful? Give feedback.
All reactions