cuioss/tools-permission-sync
marketplace/bundles/plan-marshall/skills/tools-permission-sync/SKILL.md
Synchronize marketplace permissions - generate wildcards, manage executor permissions, and migrate to executor pattern.
$ install --global
skillsauthnpx skillsauth add cuioss/plan-marshall tools-permission-syncInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 11:02 AM6.6s2 files scanned
SKILL.md
- name:
- tools-permission-sync
- description:
- Synchronize marketplace permissions - generate wildcards, manage executor permissions, and migrate to executor pattern.
- user-invocable:
- false
Marketplace Sync Skill
PURPOSE: Synchronize Claude Code permissions with marketplace bundles and manage the executor permission pattern.
Enforcement
Execution mode: Run scripts exactly as documented; use --dry-run before applying changes.
Prohibited actions:
- Do not modify settings files without dry-run verification first
- Do not invent script arguments not listed in the operations table
- Do not bypass the executor permission pattern with individual script permissions
Constraints:
- All commands use
python3 .plan/execute-script.py plan-marshall:tools-permission-sync:marketplace-sync {command} {args} - Always use
--dry-runfirst to preview changes before applying
Script Reference
| Script | Notation | Purpose |
|--------|----------|---------|
| marketplace-sync | plan-marshall:tools-permission-sync:marketplace-sync | Marketplace permission synchronization |
Operations
generate-wildcards - Generate Permission Wildcards
Generate Skill and SlashCommand wildcards from marketplace inventory.
# Read inventory from stdin
python3 .plan/execute-script.py pm-plugin-development:tools-marketplace-inventory:scan-marketplace-inventory \
--scope marketplace --resource-types skills,commands | \
python3 .plan/execute-script.py plan-marshall:tools-permission-sync:marketplace-sync generate-wildcards
# Or from file
python3 .plan/execute-script.py plan-marshall:tools-permission-sync:marketplace-sync generate-wildcards \
--input inventory.json
Output (JSON):
{
"statistics": {
"bundles_scanned": 8,
"skills_found": 28,
"commands_found": 39,
"wildcards_generated": 22
},
"permissions": {
"skill_wildcards": ["Skill(pm-dev-builder:*)", "Skill(plan-marshall:*)"],
"command_bundle_wildcards": ["SlashCommand(/pm-dev-builder:*)", "SlashCommand(/plan-marshall:*)"],
"command_shortform": ["SlashCommand(/java-core:*)"]
}
}
ensure-executor - Ensure Executor Permission
Ensure the executor permission exists in settings.
python3 .plan/execute-script.py plan-marshall:tools-permission-sync:marketplace-sync ensure-executor \
--target global \
--dry-run
Output (JSON):
{
"executor_permission": "Bash(python3 .plan/execute-script.py *)",
"settings_file": "/Users/name/.claude/settings.json",
"action": "added",
"success": true
}
cleanup-scripts - Remove Redundant Script Permissions
Remove individual script path permissions (redundant with executor pattern).
python3 .plan/execute-script.py plan-marshall:tools-permission-sync:marketplace-sync cleanup-scripts \
--target global \
--remove-broad-python \
--dry-run
Output (JSON):
{
"individual_script_permissions": ["Bash(python3 /path/to/scripts/foo.py:*)"],
"individual_count": 5,
"broad_python_found": true,
"broad_python_removed": true,
"action": "would_remove",
"total_would_remove": 6
}
migrate-executor - Full Migration to Executor Pattern
Complete migration: add executor permission + cleanup redundant permissions.
python3 .plan/execute-script.py plan-marshall:tools-permission-sync:marketplace-sync migrate-executor \
--target global \
--remove-broad-python \
--dry-run
Output (JSON):
{
"success": true,
"dry_run": true,
"executor": {
"permission": "Bash(python3 .plan/execute-script.py *)",
"action": "added"
},
"cleanup": {
"individual_removed": 5,
"broad_python_removed": true
},
"summary": "Migrated to executor-only pattern: 1 permission replaces 5 individual script permissions"
}
Executor Permission Pattern
The executor pattern uses a single permission for all marketplace scripts:
Bash(python3 .plan/execute-script.py *)
This replaces individual script path permissions because the executor invokes scripts via subprocess (not checked by Claude Code permissions).
Benefits
- Single permission instead of N permissions (one per script)
- Automatic coverage for new scripts when executor is regenerated
- No permission prompts when adding new skills/commands
Migration Path
- Run
ensure-executorto add the executor permission - Run
cleanup-scriptsto remove redundant individual permissions - Or run
migrate-executorto do both in one step
Target Selection
| Target | File |
|--------|------|
| global | ~/.claude/settings.json |
| project | .claude/settings.json or .claude/settings.local.json |
Integration with Plan Marshall
The plan-marshall skill uses this during setup:
- Step 2: Generate Executor - Creates
.plan/execute-script.py - Ensure Executor Permission - Adds
Bash(python3 .plan/execute-script.py *)to global settings
python3 .plan/execute-script.py plan-marshall:tools-permission-sync:marketplace-sync ensure-executor \
--target global
Error Handling
All operations return JSON with error details:
{
"error": "Settings file not found: /path/to/settings.json",
"success": false
}
Related Skills
cuioss/ext-self-review-plan-marshall
tools
VerifiedTrustedCommunity
Plan-marshall-domain implementor of the ext-self-review-{domain} extension point. Surfaces deterministic candidates (regexes, user-facing strings, markdown sections, symmetric-pair functions, flag-guard pairs, contract sources, schema-bearing files) for pre-submission structural self-review.
5SKILL.mdUpdated Jun 6, 2026
cuioss/untrusted-ingestion
development
VerifiedTrustedCommunity
The single shared contract every untrusted-external-content ingestion surface loads — reader/orchestrator/writer isolation, the deterministic validator script as the containment boundary, and the output-schema discipline for candidate structs parsed from web pages, GitHub issue/PR/comment bodies, and Sonar issue messages
5SKILL.mdUpdated Jun 6, 2026
cuioss/recipe-simplify-codebase
development
VerifiedTrustedCommunity
Domain-invariant recipe for deliberate wide-scope simplification campaigns across a scope x thoroughness cell, with a T4+ relation-graph pre-deliverable
5SKILL.mdUpdated Jun 6, 2026
cuioss/test-skill
testing
VerifiedTrustedCommunity
A test skill for README generation
5SKILL.mdUpdated May 29, 2026