developer security user risk: high

AI Agent Permissions Updater for Claude Gemini

Analyzes conversation to identify commands used, categorizes them into read-only and write lists, audits against Claude and Gemini config files, and updates permissions to add only…

Policy sensitive
Human review
External action: high

PROMPT

# Task: Update Agent Permissions

Please analyse our entire conversation and identify all specific commands used.

Update permissions for both Claude Code and Gemini CLI.

## Reference Files

- Claude: ~/.claude/settings.json
- Gemini policy: ~/.gemini/policies/tool-permissions.toml
- Gemini settings: ~/.gemini/settings.json
- Gemini trusted folders: ~/.gemini/trustedFolders.json

## Instructions

1. Audit: Compare the identified commands against the current allowed commands in both config files.
2. Filter: Only include commands that provide read-only access to resources.
3. Restrict: Explicitly exclude any commands capable of modifying, deleting, or destroying data.
4. Update: Add only the missing read-only commands to both config files.
5. Constraint: Do not use wildcards. Each command must be listed individually for granular security.

Show me the list of commands under two categories: Read-Only, and Write

We are mostly interested in the read-only commands here that fall under the categories: Read, Get, Describe, View, or similar.

Once I have approved the list, update both config files.

## Claude Format

File: ~/.claude/settings.json

Claude uses a JSON permissions object with allow, deny, and ask arrays.

Allow format: `Bash(command subcommand:*)`

Insert new commands in alphabetical order within the allow array.

## Gemini Format

File: ~/.gemini/policies/tool-permissions.toml

Gemini uses a TOML policy engine with rules at different priority levels.

Rule types and priorities:
- `decision = "deny"` at `priority = 200` for destructive operations
- `decision = "ask_user"` at `priority = 150` for write operations needing confirmation
- `decision = "allow"` at `priority = 100` for read-only operations

For allow rules, use `commandPrefix` (provides word-boundary matching).
For deny and ask rules, use `commandRegex` (catches flag variants).

New read-only commands should be added to the appropriate existing `[[rule]]` block by category, or a new block if no category fits.

Example allow rule:
```toml
[[rule]]
toolName = "run_shell_command"
commandPrefix = ["command subcommand1", "command subcommand2"]
decision = "allow"
priority = 100
```

## Gemini Directories

If any new directories outside the workspace were accessed, add them to:
- `context.includeDirectories` in ~/.gemini/settings.json
- ~/.gemini/trustedFolders.json with value `"TRUST_FOLDER"`

## Exceptions

Do not suggest adding the following commands:

- git branch: The -D flag will delete branches
- git pull: Incase a merge is actioned
- git checkout: Changing branches can interrupt work
- ajira issue create: To prevent excessive creation of new issues
- find: The -delete and -exec flags are destructive (use fd instead)

REQUIRED CONTEXT

conversation history
~/.claude/settings.json
~/.gemini/policies/tool-permissions.toml
~/.gemini/settings.json
~/.gemini/trustedFolders.json

OPTIONAL CONTEXT

accessed directories outside workspace

ROLES & RULES

Analyse our entire conversation and identify all specific commands used.
Compare the identified commands against the current allowed commands in both config files.
Only include commands that provide read-only access to resources.
Explicitly exclude any commands capable of modifying, deleting, or destroying data.
Add only the missing read-only commands to both config files.
Do not use wildcards. Each command must be listed individually for granular security.
Show me the list of commands under two categories: Read-Only, and Write.
Do not suggest adding git branch, git pull, git checkout, ajira issue create, find.

EXPECTED OUTPUT

Format

markdown

Schema

markdown_sections · Read-Only, Write

Constraints

list under Read-Only and Write categories
alphabetical order for Claude allow array
TOML rules for Gemini
JSON updates for Claude
no wildcards
individual commands only

SUCCESS CRITERIA

Identify all specific commands used in the conversation.
Categorize commands into Read-Only and Write.
Audit against current config files.
Add only missing read-only commands to configs in specified formats.

FAILURE MODES

Including write or destructive commands in allow lists.
Using wildcards instead of individual commands.
Suggesting excluded commands like git branch or find.
Updating files without showing list first or approval.
Failing to check current config contents.

EXAMPLES

Includes one example allow rule in TOML format.

CAVEATS

Dependencies

Entire conversation history.
Current content of ~/.claude/settings.json
Current content of ~/.gemini/policies/tool-permissions.toml
Current content of ~/.gemini/settings.json
Current content of ~/.gemini/trustedFolders.json

Missing context

Conversation transcript to analyze.
Current contents of referenced config files.
Definition of 'workspace'.
Existing categories/blocks in Gemini TOML file.

Ambiguities

'analyse our entire conversation' - conversation history not included in prompt.
'add to the appropriate existing [[rule]] block by category' - categories not specified or listed.
'new directories outside the workspace' - workspace not defined.

QUALITY

OVERALL: 0.70
CLARITY: 0.75
SPECIFICITY: 0.90
REUSABILITY: 0.20
COMPLETENESS: 0.80

IMPROVEMENT SUGGESTIONS

Replace 'our entire conversation' with a placeholder like [CONVERSATION_HISTORY] for reusability.
List or describe existing categories in Gemini TOML for rule placement.
Define 'workspace' explicitly, e.g., current project directory.
Include instructions for handling cases with no new commands or no conversation.
Parameterize file paths and tool names (e.g., [CLAUDE_CONFIG_PATH]) to make reusable.

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.