Agent skill

security-scan

Scan your Claude Code configuration (.claude/ directory) for security vulnerabilities, misconfigurations, and injection risks using AgentShield. Checks CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions.

View SKILL.md on GitHub Repository
Stars 19
Forks 4

Install this agent skill to your Project

npx add-skill https://github.com/x-cmd/skill/tree/main/data/affaanmustafa/security-scan

SKILL.md

Security Scan Skill

Audit your Claude Code configuration for security issues using AgentShield.

When to Activate

  • Setting up a new Claude Code project
  • After modifying .claude/settings.json, CLAUDE.md, or MCP configs
  • Before committing configuration changes
  • When onboarding to a new repository with existing Claude Code configs
  • Periodic security hygiene checks

What It Scans

File Checks
CLAUDE.md Hardcoded secrets, auto-run instructions, prompt injection patterns
settings.json Overly permissive allow lists, missing deny lists, dangerous bypass flags
mcp.json Risky MCP servers, hardcoded env secrets, npx supply chain risks
hooks/ Command injection via interpolation, data exfiltration, silent error suppression
agents/*.md Unrestricted tool access, prompt injection surface, missing model specs

Prerequisites

AgentShield must be installed. Check and install if needed:

bash
# Check if installed
npx ecc-agentshield --version

# Install globally (recommended)
npm install -g ecc-agentshield

# Or run directly via npx (no install needed)
npx ecc-agentshield scan .

Usage

Basic Scan

Run against the current project's .claude/ directory:

bash
# Scan current project
npx ecc-agentshield scan

# Scan a specific path
npx ecc-agentshield scan --path /path/to/.claude

# Scan with minimum severity filter
npx ecc-agentshield scan --min-severity medium

Output Formats

bash
# Terminal output (default) — colored report with grade
npx ecc-agentshield scan

# JSON — for CI/CD integration
npx ecc-agentshield scan --format json

# Markdown — for documentation
npx ecc-agentshield scan --format markdown

# HTML — self-contained dark-theme report
npx ecc-agentshield scan --format html > security-report.html

Auto-Fix

Apply safe fixes automatically (only fixes marked as auto-fixable):

bash
npx ecc-agentshield scan --fix

This will:

  • Replace hardcoded secrets with environment variable references
  • Tighten wildcard permissions to scoped alternatives
  • Never modify manual-only suggestions

Opus 4.6 Deep Analysis

Run the adversarial three-agent pipeline for deeper analysis:

bash
# Requires ANTHROPIC_API_KEY
export ANTHROPIC_API_KEY=your-key
npx ecc-agentshield scan --opus --stream

This runs:

  1. Attacker (Red Team) — finds attack vectors
  2. Defender (Blue Team) — recommends hardening
  3. Auditor (Final Verdict) — synthesizes both perspectives

Initialize Secure Config

Scaffold a new secure .claude/ configuration from scratch:

bash
npx ecc-agentshield init

Creates:

  • settings.json with scoped permissions and deny list
  • CLAUDE.md with security best practices
  • mcp.json placeholder

GitHub Action

Add to your CI pipeline:

yaml
- uses: affaan-m/agentshield@v1
  with:
    path: '.'
    min-severity: 'medium'
    fail-on-findings: true

Severity Levels

Grade Score Meaning
A 90-100 Secure configuration
B 75-89 Minor issues
C 60-74 Needs attention
D 40-59 Significant risks
F 0-39 Critical vulnerabilities

Interpreting Results

Critical Findings (fix immediately)

  • Hardcoded API keys or tokens in config files
  • Bash(*) in the allow list (unrestricted shell access)
  • Command injection in hooks via ${file} interpolation
  • Shell-running MCP servers

High Findings (fix before production)

  • Auto-run instructions in CLAUDE.md (prompt injection vector)
  • Missing deny lists in permissions
  • Agents with unnecessary Bash access

Medium Findings (recommended)

  • Silent error suppression in hooks (2>/dev/null, || true)
  • Missing PreToolUse security hooks
  • npx -y auto-install in MCP server configs

Info Findings (awareness)

  • Missing descriptions on MCP servers
  • Prohibitive instructions correctly flagged as good practice

Links

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

x-cmd/skill

pufferlib

High-performance reinforcement learning framework optimized for speed and scale. Use when you need fast parallel training, vectorized environments, multi-agent systems, or integration with game environments (Atari, Procgen, NetHack). Achieves 2-10x speedups over standard implementations. For quick prototyping or standard algorithm implementations with extensive documentation, use stable-baselines3 instead.

19 4
Explore
x-cmd/skill

fluidsim

Framework for computational fluid dynamics simulations using Python. Use when running fluid dynamics simulations including Navier-Stokes equations (2D/3D), shallow water equations, stratified flows, or when analyzing turbulence, vortex dynamics, or geophysical flows. Provides pseudospectral methods with FFT, HPC support, and comprehensive output analysis.

19 4
Explore
x-cmd/skill

metabolomics-workbench-database

Access NIH Metabolomics Workbench via REST API (4,200+ studies). Query metabolites, RefMet nomenclature, MS/NMR data, m/z searches, study metadata, for metabolomics and biomarker discovery.

19 4
Explore
x-cmd/skill

geniml

This skill should be used when working with genomic interval data (BED files) for machine learning tasks. Use for training region embeddings (Region2Vec, BEDspace), single-cell ATAC-seq analysis (scEmbed), building consensus peaks (universes), or any ML-based analysis of genomic regions. Applies to BED file collections, scATAC-seq data, chromatin accessibility datasets, and region-based genomic feature learning.

19 4
Explore
x-cmd/skill

zinc-database

Access ZINC (230M+ purchasable compounds). Search by ZINC ID/SMILES, similarity searches, 3D-ready structures for docking, analog discovery, for virtual screening and drug discovery.

19 4
Explore
x-cmd/skill

astropy

Comprehensive Python library for astronomy and astrophysics. This skill should be used when working with astronomical data including celestial coordinates, physical units, FITS files, cosmological calculations, time systems, tables, world coordinate systems (WCS), and astronomical data analysis. Use when tasks involve coordinate transformations, unit conversions, FITS file manipulation, cosmological distance calculations, time scale conversions, or astronomical data processing.

19 4
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results