← 返回 Skills 市场

Claude Code Security Scan

Name: Claude Code Security Scan
Author: djc00p

作者 Deonte Cooper · GitHub ↗ · v1.0.0 · MIT-0

linuxdarwinwin32 ✓ 安全检测通过

139

总下载

当前安装

版本数

在 OpenClaw 中安装

/install claude-code-security-scan

功能描述

Audit Claude Code configuration for security vulnerabilities, misconfigurations, and injection risks using AgentShield. Scans settings, MCP servers, hooks, a...

使用说明 (SKILL.md)

Security Scan

Audit Claude Code configuration for security issues using AgentShield.

When to Activate

Setting up a new Claude Code project
After modifying settings.json, CLAUDE.md, or MCP configs
Before committing configuration changes
Onboarding to repo with existing configs
Periodic security hygiene checks

What It Scans

CLAUDE.md — Hardcoded secrets, auto-run instructions, injection patterns
settings.json — Overly permissive allow lists, missing deny lists
mcp.json — Risky MCP servers, hardcoded env secrets
hooks/ — Command injection via interpolation, data exfiltration
agents/ — Unrestricted tool access, missing model specs

Setup & Usage

# Install globally (recommended)
npm install -g ecc-agentshield

# Or run via npx (no install needed)
npx ecc-agentshield scan

Commands

# Basic scan
npx ecc-agentshield scan

# Scan specific path
npx ecc-agentshield scan --path /path/to/.claude

# Filter by severity
npx ecc-agentshield scan --min-severity medium

# Output formats
npx ecc-agentshield scan --format json
npx ecc-agentshield scan --format markdown
npx ecc-agentshield scan --format html > report.html

# Auto-fix safe issues
npx ecc-agentshield scan --fix

# Deep analysis (requires ANTHROPIC_API_KEY)
npx ecc-agentshield scan --opus --stream

# Initialize secure config
npx ecc-agentshield init

Severity Grades

Grade	Score	Meaning
A	90-100	Secure
B	75-89	Minor issues
C	60-74	Needs attention
D	40-59	Significant risks
F	0-39	Critical

Critical Findings (Fix Immediately)

Hardcoded API keys in config
Bash(*) unrestricted shell access
Command injection via ${file} interpolation
Shell-running MCP servers

High Findings (Fix Before Production)

Auto-run instructions in CLAUDE.md
Missing deny lists
Unnecessary Bash access in agents

安全使用建议

This skill is coherent for its stated purpose (running an npm-based Claude Code config scanner) but has two operational risks you should consider before installing/using it: - npx/npm execution risk: The recommended usage runs ecc-agentshield from the npm registry. npx executes code fetched from npm at run time — only run this if you trust the package author or after reviewing the package source (repository, package contents, and maintainers). Prefer installing in a sandbox or CI job with limited access. - Data exfiltration risk via optional Anthropic mode: The SKILL.md includes a deep-analysis flag that requires ANTHROPIC_API_KEY; using it will send configuration contents (possibly including secrets) to Anthropic. Don’t provide that key unless you intend to send potentially sensitive config to an external service. Consider running scans offline or redacting secrets first. Practical steps: review the ecc-agentshield npm package (repo, recent releases, maintainers), prefer npx with version pinning (npx [email protected]), run it in an isolated container or CI with no unnecessary credentials mounted, and avoid passing ANTHROPIC_API_KEY or other secrets unless you explicitly want cloud-based analysis.

功能分析

Type: OpenClaw Skill Name: claude-code-security-scan Version: 1.0.0 The skill bundle provides a security auditing utility for Claude Code configurations using the 'ecc-agentshield' package. It instructs the agent to perform scans for hardcoded secrets and misconfigurations via standard npm/npx commands. The logic and instructions in SKILL.md are transparently aligned with the stated purpose of security hygiene and do not exhibit signs of data exfiltration, malicious execution, or harmful prompt injection.

能力评估

✓ Purpose & Capability

The name/description (audit Claude Code configs with AgentShield) matches the declared requirements: node/npm are listed and the SKILL.md instructs running the npm package ecc-agentshield. No unrelated credentials, binaries, or config paths are requested.

ℹ Instruction Scope

Instructions explicitly tell the agent to scan CLAUDE.md, settings.json, mcp.json, hooks/, and agents/ — all within the stated purpose. However the SKILL.md exposes an optional deep analysis flag (--opus --stream) that requires ANTHROPIC_API_KEY and would transmit scanned content to an external API; the document does not warn about sending sensitive configuration or secrets to an external service.

ℹ Install Mechanism

There is no install spec in the registry (instruction-only), but SKILL.md recommends npm install -g or npx ecc-agentshield. Using npx installs/executes code from the public npm registry at runtime — a moderate risk if the package is unvetted or malicious. No direct download URLs or extract steps are present, which is better than arbitrary URL downloads, but the package identity/source is unknown (no homepage or repository listed).

✓ Credentials

The skill declares no required environment variables and lists ANTHROPIC_API_KEY as optional for deep analysis; this is proportionate to the optional feature. There are no unrelated or excessive credential requests. Be aware that providing ANTHROPIC_API_KEY will allow the tool to send scanned data to an external API.

✓ Persistence & Privilege

always is false and there is no install script or code in the skill bundle that would persist or modify other skills or system settings. The skill is instruction-only and does not demand permanent presence or elevated privileges.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install claude-code-security-scan
安装完成后，直接呼叫该 Skill 的名称或使用 /claude-code-security-scan 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release. Claude Code config security audit — scans for hardcoded secrets, injection risks, misconfigs. Adapted from everything-claude-code by @affaan-m (MIT)

元数据

Slug claude-code-security-scan

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题