$ loading_
扫描 Claude Code 配置中的安全漏洞、误配与注入风险并给出检查结果
复制安装指令,让 AI 自动完成配置 · 推荐新手
请帮我安装 askskill 上的 "security-scan" 技能: 1. 下载 https://raw.githubusercontent.com/affaan-m/ECC/main/skills/security-scan/SKILL.md 2. 保存为 ~/.claude/skills/security-scan/SKILL.md 3. 装好后重载技能,告诉我可以用了
请扫描我的 .claude/ 目录,检查 CLAUDE.md、settings.json、MCP servers、hooks 和 agent definitions 中的安全漏洞、错误配置与注入风险,并按严重级别列出问题和修复建议。
一份按严重程度排序的安全检查报告,包含风险说明、受影响文件和修复建议。
重点检查 .claude/ 配置中的 MCP servers 和 hooks,识别高权限命令、危险脚本调用、外部连接风险以及潜在的提示注入入口,并说明原因。
针对 MCP 与 hooks 的专项风险清单,附带原因分析和加固建议。
基于对 .claude/ 的扫描结果,帮我生成一个修复优先级清单:先修哪些高危问题、哪些可以延后,并给出每项的建议修改方向。
一份可执行的修复计划,包含优先级、处理顺序和对应整改方向。
Audit your Claude Code configuration for security issues using AgentShield.
.claude/settings.json, CLAUDE.md, or MCP configs| File | Checks |
|---|---|
CLAUDE.md | Hardcoded secrets, auto-run instructions, prompt injection patterns |
settings.json | Overly permissive allow lists, missing deny lists, dangerous bypass flags |
mcp.json | Risky MCP servers, hardcoded env secrets, npx supply chain risks |
hooks/ | Command injection via interpolation, data exfiltration, silent error suppression |
agents/*.md | Unrestricted tool access, prompt injection surface, missing model specs |
AgentShield must be installed. Check and install if needed:
# Check if installed
npx ecc-agentshield --version
# Install globally (recommended)
npm install -g ecc-agentshield
# Or run directly via npx (no install needed)
npx ecc-agentshield scan .
Run against the current project's .claude/ directory:
# Scan current project
npx ecc-agentshield scan
# Scan a specific path
npx ecc-agentshield scan --path /path/to/.claude
# Scan with minimum severity filter
npx ecc-agentshield scan --min-severity medium
# Terminal output (default) — colored report with grade
npx ecc-agentshield scan
# JSON — for CI/CD integration
npx ecc-agentshield scan --format json
# Markdown — for documentation
npx ecc-agentshield scan --format markdown
# HTML — self-contained dark-theme report
npx ecc-agentshield scan --format html > security-report.html
Apply safe fixes automatically (only fixes marked as auto-fixable):
npx ecc-agentshield scan --fix
This will:
Run the adversarial three-agent pipeline for deeper analysis:
# Requires ANTHROPIC_API_KEY
export ANTHROPIC_API_KEY=your-key
npx ecc-agentshield scan --opus --stream
This runs:
Scaffold a new secure .claude/ configuration from scratch:
npx ecc-agentshield init
Creates:
settings.json with scoped permissions and deny listCLAUDE.md with security best practicesmcp.json placeholderAdd to your CI pipeline:
- uses: affaan-m/agentshield@v1
with:
path: '.'
min-severity: 'medium'
fail-on-findings: true
| Grade | Score | Meaning |
|---|---|---|
| A | 90-100 | Secure configuration |
| B | 75-89 | Minor issues |
| C | 60-74 | Needs attention |
| D | 40-59 | Significant risks |
| F | 0-39 | Critical vulnerabilities |
Bash(*) in the allow list (unrestricted shell access)${file} interpolation2>/dev/null, || true)npx -y auto-install in MCP server configs…
通过双评审智能体对结果进行对抗式校验,提升输出发布前的可靠性
扫描 AI 代理、MCP 服务器与技能的安全风险并生成检测结果。