Scan Claude Code configs for vulnerabilities, misconfigurations, and prompt injection risks.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "security-scan" skill from askskill: 1. Download https://raw.githubusercontent.com/affaan-m/ECC/main/skills/security-scan/SKILL.md 2. Save it as ~/.claude/skills/security-scan/SKILL.md 3. Reload skills and tell me it's ready
Scan my .claude/ directory for security vulnerabilities, misconfigurations, and injection risks in CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions. List findings by severity with remediation advice.
A severity-ranked security audit report with risk details, affected files, and remediation steps.
Focus on reviewing MCP servers and hooks in the .claude/ configuration. Identify high-privilege commands, dangerous script calls, external connection risks, and possible prompt injection entry points, and explain why they are risky.
A focused risk list for MCP servers and hooks, including reasoning and hardening recommendations.
Based on the .claude/ scan results, create a remediation priority list showing which high-risk issues to fix first, which can wait, and the recommended change direction for each item.
An actionable remediation plan with priorities, fix order, and recommended mitigation directions.
Audit your Claude Code configuration for security issues using AgentShield.
.claude/settings.json, CLAUDE.md, or MCP configs| File | Checks |
|---|---|
CLAUDE.md | Hardcoded secrets, auto-run instructions, prompt injection patterns |
settings.json | Overly permissive allow lists, missing deny lists, dangerous bypass flags |
mcp.json | Risky MCP servers, hardcoded env secrets, npx supply chain risks |
hooks/ | Command injection via interpolation, data exfiltration, silent error suppression |
agents/*.md | Unrestricted tool access, prompt injection surface, missing model specs |
AgentShield must be installed. Check and install if needed:
# Check if installed
npx ecc-agentshield --version
# Install globally (recommended)
npm install -g ecc-agentshield
# Or run directly via npx (no install needed)
npx ecc-agentshield scan .
Run against the current project's .claude/ directory:
# Scan current project
npx ecc-agentshield scan
# Scan a specific path
npx ecc-agentshield scan --path /path/to/.claude
# Scan with minimum severity filter
npx ecc-agentshield scan --min-severity medium
# Terminal output (default) — colored report with grade
npx ecc-agentshield scan
# JSON — for CI/CD integration
npx ecc-agentshield scan --format json
# Markdown — for documentation
npx ecc-agentshield scan --format markdown
# HTML — self-contained dark-theme report
npx ecc-agentshield scan --format html > security-report.html
Apply safe fixes automatically (only fixes marked as auto-fixable):
npx ecc-agentshield scan --fix
This will:
Run the adversarial three-agent pipeline for deeper analysis:
# Requires ANTHROPIC_API_KEY
export ANTHROPIC_API_KEY=your-key
npx ecc-agentshield scan --opus --stream
This runs:
Scaffold a new secure .claude/ configuration from scratch:
npx ecc-agentshield init
Creates:
settings.json with scoped permissions and deny listCLAUDE.md with security best practicesmcp.json placeholderAdd to your CI pipeline:
- uses: affaan-m/agentshield@v1
with:
path: '.'
min-severity: 'medium'
fail-on-findings: true
| Grade | Score | Meaning |
|---|---|---|
| A | 90-100 | Secure configuration |
| B | 75-89 | Minor issues |
| C | 60-74 | Needs attention |
| D | 40-59 | Significant risks |
| F | 0-39 | Critical vulnerabilities |
Bash(*) in the allow list (unrestricted shell access)${file} interpolation2>/dev/null, || true)npx -y auto-install in MCP server configs…
Handle returns, refunds, fraud checks, and warranty claim decisions efficiently.
Use Bun for runtime, bundling, testing, packages, and Node migration decisions.
Use the correct Ethereum Keccak-256 hashing in Node.js and TypeScript.
Apply Nuxt 4 patterns for SSR safety, performance, and data fetching.
Generate images, videos, and audio with one unified AI media workflow.
Design Quarkus 3 backend patterns for messaging, APIs, data, and async workflows.
Add security scanning, auditing, and vulnerability checks to Claude Code and Cursor.
Detect prompt injection, look up CVEs, and assess version impact.
Run multi-engine security reviews and prioritize code, secret, and dependency risks.
Scan AI agents for tool-calling vulnerabilities and surface key security risks.
Provides wordlists, payloads, and expert workflows for authorized security testing.
Scan MCP server configs for injections, secrets, and dangerous commands.