flowchart TB
subgraph Outer ["🔴 System Directories - NO ACCESS"]
Sys["/usr, /bin, /etc
Permission Required"]:::blockedNode
end
subgraph Middle ["🟡 User Skills Directory - READ ONLY"]
Skills["~/.claude/skills/
Read access only"]:::readNode
end
subgraph Inner ["🟢 Project Directory - FULL ACCESS"]
Exec["Skill Execution Sandbox
Read/Write allowed"]:::allowedNode
Files["Project files
/docs, /src, etc."]:::allowedNode
end
Exec -.->|Read| Skills
Exec -.->|Blocked| Sys
Exec -->|Read/Write| Files
classDef allowedNode fill:#43aa8b,stroke:#333,stroke-width:2px,color:#fff,font-size:16px
classDef readNode fill:#ffd166,stroke:#333,stroke-width:2px,color:#333,font-size:16px
classDef blockedNode fill:#e63946,stroke:#333,stroke-width:2px,color:#fff,font-size:16px
linkStyle default stroke:#999,stroke-width:2px
Security Model Overview
Claude skills operate within a security sandbox that defines three zones of file system access, protecting system integrity while enabling productive development.
Security Zones
🟢 Green Zone: Project Directory (Full Access)
Location: Current working directory (e.g., $HOME/Documents/project/)
Permissions: Read and Write
Purpose: Skills can freely read and modify files within the project scope
Typical paths: /docs, /src, /tests, mkdocs.yml, etc.
🟡 Yellow Zone: User Skills Directory (Read-Only)
Location: ~/.claude/skills/
Permissions: Read only
Purpose: Skills can read their own code, templates, and reference files but cannot modify them during execution
Typical paths: ~/.claude/skills/skill-name/SKILL.md, scripts/, references/
🔴 Red Zone: System Directories (Blocked)
Location: /usr, /bin, /etc, /System, etc.
Permissions: Blocked (requires explicit user approval)
Purpose: Protects system files from accidental or malicious modification
Access: Skills attempting to access these areas will prompt for user permission
Security Best Practices
- Scope operations to project: Always work within the current project directory
- Validate file paths: Check that paths resolve within allowed zones
- Never hardcode system paths: Use relative paths from project root
- Request permission when needed: If system access is genuinely required, explain why to the user
Permission Gates
When a skill attempts to access restricted areas, Claude Code will:
- Pause execution
- Show the user what file/directory is being accessed
- Explain why the skill needs access
- Request explicit approval to proceed