Tighten config-dir perms and validate plugin scope argv

- Create the global config dir at 0700 (it can hold credentials.json) in the
  skill-refresh and update-notice bootstrap paths, and chmod it once early in
  root.go so an existing 0755 dir from an older version is tightened. The chmod
  Lstats first and only touches a real directory (never a symlink), since
  GlobalConfigDir can fall back to TempDir where a local user could plant one.
- Whitelist the plugin --scope value {user,project,local,global} read from
  installed_plugins.json before passing it to 'claude plugin uninstall',
  preventing a '-'-leading value from injecting a flag into the argv.

Author: jeremy

internal/cli/root.go

@@ -44,6 +44,20 @@ func NewRootCmd() *cobra.Command {
 				return nil
 			}
 
+			// Tighten global config dir perms: an older CLI version (or the
+			// skill/update bootstrap) may have created it world-listable at
+			// 0755, yet it can hold credentials.json. Best-effort, runs before
+			// anything writes into the dir.
+			//
+			// Lstat first and only chmod a real directory: os.Chmod follows
+			// symlinks, and GlobalConfigDir() can fall back to TempDir(), so a
+			// local attacker could plant a symlink there and redirect the chmod.
+			if cfgDir := config.GlobalConfigDir(); cfgDir != "" {
+				if fi, statErr := os.Lstat(cfgDir); statErr == nil && fi.IsDir() && fi.Mode()&os.ModeSymlink == 0 {
+					_ = os.Chmod(cfgDir, 0o700) //nolint:gosec // G302: 0700 is correct for a directory (needs the execute bit) that can hold credentials.json
+				}
+			}
+
 			// Start background update check early so it runs during command execution
 			updateCheck = commands.StartUpdateCheck()
 

internal/commands/skill.go

@@ -344,7 +344,8 @@ func RefreshSkillsIfVersionChanged() bool {
 	// On transient failure, leave the sentinel stale so the next run retries.
 	needsRefresh := baselineSkillInstalled()
 	if !needsRefresh || refreshed {
-		_ = os.MkdirAll(filepath.Dir(sentinelPath), 0o755)             //nolint:gosec // G301: config dir
+		// 0o700: GlobalConfigDir can hold credentials.json; keep it owner-only.
+		_ = os.MkdirAll(filepath.Dir(sentinelPath), 0o700)
 		_ = os.WriteFile(sentinelPath, []byte(version.Version), 0o644) //nolint:gosec // G306: not a secret
 	}
 

internal/commands/update_notice.go

@@ -130,6 +130,7 @@ func writeUpdateCache(latestVersion string) {
 		return
 	}
 	dir := filepath.Dir(updateCachePath())
-	_ = os.MkdirAll(dir, 0o755)                      //nolint:gosec // G301: config dir
+	// 0o700: GlobalConfigDir can hold credentials.json; keep it owner-only.
+	_ = os.MkdirAll(dir, 0o700)
 	_ = os.WriteFile(updateCachePath(), data, 0o644) //nolint:gosec // G306: not a secret
 }

internal/commands/wizard_agents.go

@@ -322,6 +322,12 @@ func removeStaleClaudePlugins(ctx context.Context, claudePath string, plugins []
 		if len(p.Scopes) > 0 {
 			anyRemoved := false
 			for _, scope := range p.Scopes {
+				// scope comes from installed_plugins.json (not first-party).
+				// Whitelist it so a "-"-leading value can't inject a flag into
+				// the uninstall argv.
+				if !validPluginScope(scope) {
+					continue
+				}
 				c := exec.CommandContext(ctx, claudePath, "plugin", "uninstall", p.Key, "--scope", scope) //nolint:gosec // G204: claudePath from FindClaudeBinary
 				if err := c.Run(); err == nil {
 					anyRemoved = true
@@ -351,6 +357,18 @@ func removeStaleClaudePlugins(ctx context.Context, claudePath string, plugins []
 	return removed, scopes
 }
 
+// validPluginScope reports whether scope is one of Claude's accepted plugin
+// scopes. Used to gate untrusted scope values from installed_plugins.json
+// before they reach `claude plugin uninstall --scope <scope>`.
+func validPluginScope(scope string) bool {
+	switch scope {
+	case "user", "project", "local", "global":
+		return true
+	default:
+		return false
+	}
+}
+
 // claudeManualInstallHint returns the two-line manual install instructions.
 func claudeManualInstallHint(styles *tui.Styles) (string, string) {
 	return styles.Bold.Render(fmt.Sprintf("    claude plugin marketplace add %s", harness.ClaudeMarketplaceSource)),

internal/commands/wizard_agents_test.go

@@ -0,0 +1,22 @@
+package commands
+
+import "testing"
+
+// TestValidPluginScope guards the argv-injection whitelist: scope values come
+// from installed_plugins.json (not first-party), so a "-"-leading value must
+// not reach `claude plugin uninstall --scope <scope>`.
+func TestValidPluginScope(t *testing.T) {
+	valid := []string{"user", "project", "local", "global"}
+	for _, s := range valid {
+		if !validPluginScope(s) {
+			t.Errorf("validPluginScope(%q) = false, want true", s)
+		}
+	}
+
+	invalid := []string{"", "-rf", "--force", "User", "system", "/etc", "user ", " user"}
+	for _, s := range invalid {
+		if validPluginScope(s) {
+			t.Errorf("validPluginScope(%q) = true, want false", s)
+		}
+	}
+}