← Back to Skills Marketplace
Claude Code Security Scan
by
Deonte Cooper
· GitHub ↗
· v1.0.0
· MIT-0
139
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install claude-code-security-scan
Description
Audit Claude Code configuration for security vulnerabilities, misconfigurations, and injection risks using AgentShield. Scans settings, MCP servers, hooks, a...
README (SKILL.md)
Security Scan
Audit Claude Code configuration for security issues using AgentShield.
When to Activate
- Setting up a new Claude Code project
- After modifying settings.json, CLAUDE.md, or MCP configs
- Before committing configuration changes
- Onboarding to repo with existing configs
- Periodic security hygiene checks
What It Scans
CLAUDE.md— Hardcoded secrets, auto-run instructions, injection patternssettings.json— Overly permissive allow lists, missing deny listsmcp.json— Risky MCP servers, hardcoded env secretshooks/— Command injection via interpolation, data exfiltrationagents/— Unrestricted tool access, missing model specs
Setup & Usage
# Install globally (recommended)
npm install -g ecc-agentshield
# Or run via npx (no install needed)
npx ecc-agentshield scan
Commands
# Basic scan
npx ecc-agentshield scan
# Scan specific path
npx ecc-agentshield scan --path /path/to/.claude
# Filter by severity
npx ecc-agentshield scan --min-severity medium
# Output formats
npx ecc-agentshield scan --format json
npx ecc-agentshield scan --format markdown
npx ecc-agentshield scan --format html > report.html
# Auto-fix safe issues
npx ecc-agentshield scan --fix
# Deep analysis (requires ANTHROPIC_API_KEY)
npx ecc-agentshield scan --opus --stream
# Initialize secure config
npx ecc-agentshield init
Severity Grades
| Grade | Score | Meaning |
|---|---|---|
| A | 90-100 | Secure |
| B | 75-89 | Minor issues |
| C | 60-74 | Needs attention |
| D | 40-59 | Significant risks |
| F | 0-39 | Critical |
Critical Findings (Fix Immediately)
- Hardcoded API keys in config
Bash(*)unrestricted shell access- Command injection via
${file}interpolation - Shell-running MCP servers
High Findings (Fix Before Production)
- Auto-run instructions in CLAUDE.md
- Missing deny lists
- Unnecessary Bash access in agents
Usage Guidance
This skill is coherent for its stated purpose (running an npm-based Claude Code config scanner) but has two operational risks you should consider before installing/using it:
- npx/npm execution risk: The recommended usage runs ecc-agentshield from the npm registry. npx executes code fetched from npm at run time — only run this if you trust the package author or after reviewing the package source (repository, package contents, and maintainers). Prefer installing in a sandbox or CI job with limited access.
- Data exfiltration risk via optional Anthropic mode: The SKILL.md includes a deep-analysis flag that requires ANTHROPIC_API_KEY; using it will send configuration contents (possibly including secrets) to Anthropic. Don’t provide that key unless you intend to send potentially sensitive config to an external service. Consider running scans offline or redacting secrets first.
Practical steps: review the ecc-agentshield npm package (repo, recent releases, maintainers), prefer npx with version pinning (npx [email protected]), run it in an isolated container or CI with no unnecessary credentials mounted, and avoid passing ANTHROPIC_API_KEY or other secrets unless you explicitly want cloud-based analysis.
Capability Analysis
Type: OpenClaw Skill
Name: claude-code-security-scan
Version: 1.0.0
The skill bundle provides a security auditing utility for Claude Code configurations using the 'ecc-agentshield' package. It instructs the agent to perform scans for hardcoded secrets and misconfigurations via standard npm/npx commands. The logic and instructions in SKILL.md are transparently aligned with the stated purpose of security hygiene and do not exhibit signs of data exfiltration, malicious execution, or harmful prompt injection.
Capability Assessment
Purpose & Capability
The name/description (audit Claude Code configs with AgentShield) matches the declared requirements: node/npm are listed and the SKILL.md instructs running the npm package ecc-agentshield. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Instructions explicitly tell the agent to scan CLAUDE.md, settings.json, mcp.json, hooks/, and agents/ — all within the stated purpose. However the SKILL.md exposes an optional deep analysis flag (--opus --stream) that requires ANTHROPIC_API_KEY and would transmit scanned content to an external API; the document does not warn about sending sensitive configuration or secrets to an external service.
Install Mechanism
There is no install spec in the registry (instruction-only), but SKILL.md recommends npm install -g or npx ecc-agentshield. Using npx installs/executes code from the public npm registry at runtime — a moderate risk if the package is unvetted or malicious. No direct download URLs or extract steps are present, which is better than arbitrary URL downloads, but the package identity/source is unknown (no homepage or repository listed).
Credentials
The skill declares no required environment variables and lists ANTHROPIC_API_KEY as optional for deep analysis; this is proportionate to the optional feature. There are no unrelated or excessive credential requests. Be aware that providing ANTHROPIC_API_KEY will allow the tool to send scanned data to an external API.
Persistence & Privilege
always is false and there is no install script or code in the skill bundle that would persist or modify other skills or system settings. The skill is instruction-only and does not demand permanent presence or elevated privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install claude-code-security-scan - After installation, invoke the skill by name or use
/claude-code-security-scan - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release. Claude Code config security audit — scans for hardcoded secrets, injection risks, misconfigs. Adapted from everything-claude-code by @affaan-m (MIT)
Metadata
Frequently Asked Questions
What is Claude Code Security Scan?
Audit Claude Code configuration for security vulnerabilities, misconfigurations, and injection risks using AgentShield. Scans settings, MCP servers, hooks, a... It is an AI Agent Skill for Claude Code / OpenClaw, with 139 downloads so far.
How do I install Claude Code Security Scan?
Run "/install claude-code-security-scan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Claude Code Security Scan free?
Yes, Claude Code Security Scan is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Claude Code Security Scan support?
Claude Code Security Scan is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin, win32).
Who created Claude Code Security Scan?
It is built and maintained by Deonte Cooper (@djc00p); the current version is v1.0.0.
More Skills