Plugins cannot read their own files via `!`cat ${CLAUDE_PLUGIN_ROOT}/...`` — blocked by sandbox

[ugiordan]

Description

When a plugin skill file uses shell expansion to inline shared content from within its own plugin directory, the sandbox blocks the cat command because the plugin cache path is outside the project's working directory.

This is the same issue as #24203, which was auto-closed as stale without being fixed.

Reproduction

1. Install a plugin that uses skill composition via shell expansion in its SKILL.md frontmatter:

   !`cat ${CLAUDE_PLUGIN_ROOT}/skills/shared-skill/SKILL.md`

2. Open Claude Code in any project directory (e.g. ~/workdir/myproject)
3. Invoke the skill (e.g. /daily-triage)

Error

Error: Bash command permission check failed for pattern
"!`cat /Users/username/.claude/plugins/cache/org/plugin-name/0.1.5/skills/shared-skill/SKILL.md`":
cat in '/Users/username/.claude/plugins/cache/...' was blocked.
For security, Claude Code may only concatenate files from the allowed working directories
for this session: '/Users/username/workdir/myproject'.

Expected behavior

Plugins should be able to read files within their own ${CLAUDE_PLUGIN_ROOT} directory without being blocked by the sandbox. The sandbox is meant to protect the user's system, not to prevent trusted/installed plugins from reading their own assets.

Suggested fix (upstream)

When expanding !...`` directives in skill files, Claude Code should either:

• Execute those commands outside the sandbox (since skill files are trusted plugin content installed by the user)
• Or implicitly allowlist read access (e.g. cat) within each enabled plugin's CLAUDE_PLUGIN_ROOT

Workaround (for now)

Use Claude Code's --add-dir flag to include the plugin cache in the allowed working directories:

claude --add-dir ~/.claude/plugins/cache

Or add it as a shell alias for persistence:

alias claude="claude --add-dir ~/.claude/plugins/cache"

This allows the skill !cat`` expansion to read from the plugin cache without sandbox errors.

Environment

• Claude Code (CLI)
• macOS (Darwin 25.3.0)
• Plugin: jira-automation@data-hub-ai-helpers v0.1.5

[github-actions]

Found 1 possible duplicate issue:

1. [BUG] Skill dynamic injection blocks cat for files outside session working directory #24203

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[github-actions]

This issue has been automatically closed as a duplicate of #24203.

If this is incorrect, please re-open this issue or create a new one.

🤖 Generated with Claude Code