Scan your Claude Code configuration (.claude/ directory) for security vulnerabilities, misconfigurations, and injection risks using AgentShield. Checks CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions.
Security Scan Skill
Audit your Claude Code configuration for security issues using AgentShield.
When to Activate
- Setting up a new Claude Code project
- After modifying
.claude/settings.json,CLAUDE.md, or MCP configs - Before committing configuration changes
- When onboarding to a new repository with existing Claude Code configs
- Periodic security hygiene checks
What It Scans
| File | Checks |
|---|---|
CLAUDE.md | Hardcoded secrets, auto-run instructions, prompt injection patterns |
settings.json | Overly permissive allow lists, missing deny lists, dangerous bypass flags |
mcp.json | Risky MCP servers, hardcoded env secrets, npx supply chain risks |
hooks/ | Command injection via interpolation, data exfiltration, silent error suppression |
agents/*.md | Unrestricted tool access, prompt injection surface, missing model specs |
Prerequisites
AgentShield must be installed. Check and install if needed:
1# Check if installed
2npx ecc-agentshield --version
3
4# Install globally (recommended)
5npm install -g ecc-agentshield
6
7# Or run directly via npx (no install needed)
8npx ecc-agentshield scan .Usage
Basic Scan
Run against the current project's .claude/ directory:
1# Scan current project
2npx ecc-agentshield scan
3
4# Scan a specific path
5npx ecc-agentshield scan --path /path/to/.claude
6
7# Scan with minimum severity filter
8npx ecc-agentshield scan --min-severity mediumOutput Formats
1# Terminal output (default) — colored report with grade
2npx ecc-agentshield scan
3
4# JSON — for CI/CD integration
5npx ecc-agentshield scan --format json
6
7# Markdown — for documentation
8npx ecc-agentshield scan --format markdown
9
10# HTML — self-contained dark-theme report
11npx ecc-agentshield scan --format html > security-report.htmlAuto-Fix
Apply safe fixes automatically (only fixes marked as auto-fixable):
1npx ecc-agentshield scan --fixThis will:
- Replace hardcoded secrets with environment variable references
- Tighten wildcard permissions to scoped alternatives
- Never modify manual-only suggestions
Opus 4.6 Deep Analysis
Run the adversarial three-agent pipeline for deeper analysis:
1# Requires ANTHROPIC_API_KEY
2export ANTHROPIC_API_KEY=your-key
3npx ecc-agentshield scan --opus --streamThis runs:
- Attacker (Red Team) — finds attack vectors
- Defender (Blue Team) — recommends hardening
- Auditor (Final Verdict) — synthesizes both perspectives
Initialize Secure Config
Scaffold a new secure .claude/ configuration from scratch:
1npx ecc-agentshield initCreates:
settings.jsonwith scoped permissions and deny listCLAUDE.mdwith security best practicesmcp.jsonplaceholder
GitHub Action
Add to your CI pipeline:
1- uses: affaan-m/agentshield@v1
2 with:
3 path: "."
4 min-severity: "medium"
5 fail-on-findings: trueSeverity Levels
| Grade | Score | Meaning |
|---|---|---|
| A | 90-100 | Secure configuration |
| B | 75-89 | Minor issues |
| C | 60-74 | Needs attention |
| D | 40-59 | Significant risks |
| F | 0-39 | Critical vulnerabilities |
Interpreting Results
Critical Findings (fix immediately)
- Hardcoded API keys or tokens in config files
Bash(*)in the allow list (unrestricted shell access)- Command injection in hooks via
${file}interpolation - Shell-running MCP servers
High Findings (fix before production)
- Auto-run instructions in CLAUDE.md (prompt injection vector)
- Missing deny lists in permissions
- Agents with unnecessary Bash access
Medium Findings (recommended)
- Silent error suppression in hooks (
2>/dev/null,|| true) - Missing PreToolUse security hooks
npx -yauto-install in MCP server configs
Info Findings (awareness)
- Missing descriptions on MCP servers
- Prohibitive instructions correctly flagged as good practice