- Home
- Skills
- Affaan M
- Everything Claude Code
- Security Scan
security-scan_skill
- JavaScript
46.5k
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill affaan-m/everything-claude-code --skill security-scan- SKILL.md4.4 KB
Overview
This skill scans a Claude Code configuration (.claude/ directory) for security vulnerabilities, misconfigurations, and injection risks using AgentShield. It targets CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions to produce actionable findings and remediation suggestions. Reports can be emitted to terminal, JSON, Markdown, or HTML for CI and documentation workflows.
How this skill works
The scanner inspects configuration files and directories for patterns that indicate secrets, overly permissive permissions, command injection, and unsafe MCP server definitions. It ranks findings by severity (A–F or numeric score) and can apply safe auto-fixes for trivial issues like replacing hardcoded secrets with env references. An optional adversarial deep analysis runs attacker/defender/auditor agents for a richer threat assessment.
When to use it
- Before committing changes to .claude/ or pushing configuration updates
- When onboarding to a repository with existing Claude Code configs
- After editing CLAUDE.md, settings.json, MCP configs, hooks, or agent definitions
- As a periodic security hygiene check in CI/CD pipelines
- When preparing a production deployment that relies on agent tooling
Best practices
- Run scans locally and in CI with medium severity as a minimum gate
- Replace hardcoded keys with environment variable references, not inline values
- Restrict allow lists and add deny lists; avoid wildcard Bash access
- Inspect and sanitize hook interpolations to prevent command injection
- Use the auto-fix option only for low-risk, reversible changes and review diffs
Example use cases
- Scan a new project scaffold to ensure default settings are secure before sharing
- Block a pull request that introduces hardcoded API keys or npx -y MCP server installs
- Generate a human-readable HTML or Markdown security report for audits
- Run the Opus adversarial pipeline to stress-test agent prompts and hooks
- Auto-fix low-risk issues (secrets -> env refs, tighten wildcard permissions) before merge
FAQ
AgentShield must be available; you can run it via npx or install ecc-agentshield globally with npm for repeated use.
Can the tool automatically fix every finding?
No. It auto-fixes only safe, clearly reversible issues such as replacing hardcoded secrets and tightening simple wildcard permissions; manual review is required for complex suggestions.
How do I use this in CI?
Run the scanner as a CI step and emit JSON or set fail-on-findings for a minimum severity to fail the pipeline when unacceptable issues are found.