everything-claude-code-harness

Agent harness performance system for Claude Code and other AI coding agents — skills, instincts, memory, hooks, commands, and security scanning

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 16 · 0 current installs · 0 all-time installs

by@adisinghstudent

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name/description claim an agent harness for Claude Code and related tools, and the instructions show exactly that (subagents, skills, hooks, rules, security-scan). That purpose aligns with the actions described (installing rules, adding hooks, providing commands). Small inconsistency: metadata lists no required env vars while SKILL.md documents optional env vars (ECC_HOOK_PROFILE, ECC_DISABLED_HOOKS, CLAUDE_PACKAGE_MANAGER). This is a minor mismatch but not proof of maliciousness.

Instruction Scope

The runtime instructions direct users/agents to run commands that clone a third‑party GitHub repo and run install.sh/scripts, copy rules into project and global ~/.claude paths, and enable hooks that fire on lifecycle events (SessionStart, PreBash, PostEdit, etc.). Those instructions potentially grant the installed code broad ability to read/modify the project and to run on agent lifecycle events. The SKILL.md does not include safeguards (review steps, limited-scope installation, or sandbox guidance) and says hooks can be 'strict' or 'minimal' but does not define what hooks may execute (shell commands, network calls, file I/O).

Install Mechanism

The skill itself has no install spec or code, but it instructs cloning and running an external GitHub repo (affaan-m/everything-claude-code) and running install.sh and utility scripts. That effectively delegates installation to arbitrary third‑party code, which could execute anything on the host. Instruction-only skills are lower-risk in isolation, but these explicit install steps increase risk and should be treated as an external install mechanism (unreviewed archive/installer).

ℹ

Credentials

The declared metadata requests no credentials or config paths, which is appropriate. The SKILL.md references a few optional environment variables (ECC_HOOK_PROFILE, ECC_DISABLED_HOOKS, CLAUDE_PACKAGE_MANAGER) used to control behavior — these are reasonable for configuration and do not request secrets. No tokens, keys, or unrelated credentials are asked for in the provided content.

Persistence & Privilege

The skill advises installing code into project and global .claude directories and installing hooks that fire on lifecycle events. That creates persistent behavior (hooks run automatically) and can alter the agent's runtime environment. 'always' is false, but the recommended install produces durable, privileged behavior that can run shell commands and modify project files — the SKILL.md does not provide clear limits or auditing steps for these persistent hooks.

Scan Findings in Context

[no_regex_findings] expected: The static regex scanner found no code to analyze because this is an instruction-only skill. That is expected for SKILL.md-only skills, but it means the actual install-time code (the GitHub repo/install.sh) was not inspected.

What to consider before installing

This SKILL.md describes a plausible Claude Code harness but instructs you to clone and run third‑party install scripts and to install hooks that will persist and run on agent lifecycle events. Before installing: 1) Prefer the official plugin marketplace path if it exists and is trusted; 2) If you must clone, review the repository (especially install.sh, scripts/, and hooks/) line-by-line before running; 3) Run the installer in an isolated environment (container or VM) first; 4) Do not install into your global/home .claude directories until you verify behavior; 5) Use ECC_HOOK_PROFILE=minimal and explicitly set ECC_DISABLED_HOOKS to prevent unexpected hooks; 6) Look for any network calls, credential reads, or outbound endpoints in the repo and disallow or sandbox them; 7) If you lack time/expertise to audit the repo, treat this as untrusted code and avoid installing it on sensitive machines. Additional helpful info to reduce uncertainty: a copy of the referenced GitHub repository (install scripts and hook implementations) would allow a higher-confidence assessment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk9799002451b3c6ywzxreqsp2x830dfk

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Everything Claude Code (ECC) — Agent Harness Performance System

Skill by ara.so — Daily 2026 Skills collection.

Everything Claude Code (ECC) is a production-ready performance optimization system for AI agent harnesses. It provides specialized subagents, reusable skills, custom slash commands, memory-persisting hooks, security scanning, and language-specific rules — all evolved from 10+ months of daily real-world use. Works across Claude Code, Cursor, Codex, OpenCode, and Antigravity.

Installation

Option 1: Plugin Marketplace (Recommended)

# Inside Claude Code, run:
/plugin marketplace add affaan-m/everything-claude-code
/plugin install everything-claude-code@everything-claude-code

Option 2: Manual Clone

git clone https://github.com/affaan-m/everything-claude-code.git
cd everything-claude-code

# Install rules for your language stack
./install.sh typescript
# Multiple languages:
./install.sh typescript python golang swift
# Target a specific IDE:
./install.sh --target cursor typescript

Install Rules (Always Required)

Claude Code plugins cannot auto-distribute rules — install them manually via ./install.sh or copy from rules/ into your project's .claude/rules/ directory.

Directory Structure

everything-claude-code/
├── .claude-plugin/         # Plugin and marketplace manifests
│   ├── plugin.json
│   └── marketplace.json
├── agents/                 # Specialized subagents (planner, architect, etc.)
├── commands/               # Slash commands (/plan, /security-scan, etc.)
├── skills/                 # Reusable skill modules
├── hooks/                  # Lifecycle hooks (SessionStart, Stop, PostEdit, etc.)
├── rules/
│   ├── common/             # Language-agnostic rules
│   ├── typescript/
│   ├── python/
│   ├── golang/
│   └── swift/
├── scripts/                # Setup and utility scripts
└── install.sh              # Interactive installer

Key Commands

After installation, use the namespaced form (plugin install) or short form (manual install):

# Planning & architecture
/everything-claude-code:plan "Add OAuth2 login flow"
/everything-claude-code:architect "Design a multi-tenant SaaS system"

# Research-first development
/everything-claude-code:research "Best approach for rate limiting in Node.js"

# Security
/everything-claude-code:security-scan
/everything-claude-code:harness-audit

# Agent loops and orchestration
/everything-claude-code:loop-start
/everything-claude-code:loop-status
/everything-claude-code:quality-gate
/everything-claude-code:model-route

# Multi-agent workflows
/everything-claude-code:multi-plan
/everything-claude-code:multi-execute
/everything-claude-code:multi-backend
/everything-claude-code:multi-frontend

# Session and memory
/everything-claude-code:sessions
/everything-claude-code:instinct-import

# PM2 orchestration
/everything-claude-code:pm2

# Package manager setup
/everything-claude-code:setup-pm

With manual install, drop the everything-claude-code: prefix: /plan, /sessions, etc.

Hook Runtime Controls

ECC hooks fire at agent lifecycle events. Control strictness at runtime without editing files:

# Set hook strictness profile
export ECC_HOOK_PROFILE=minimal    # Least intrusive
export ECC_HOOK_PROFILE=standard   # Default
export ECC_HOOK_PROFILE=strict     # Maximum enforcement

# Disable specific hooks by ID (comma-separated)
export ECC_DISABLED_HOOKS="pre:bash:tmux-reminder,post:edit:typecheck"

Hook events covered: SessionStart, Stop, PostEdit, PreBash, PostBash, and more.

Package Manager Detection

ECC auto-detects your package manager with this priority chain:

CLAUDE_PACKAGE_MANAGER environment variable
.claude/package-manager.json (project-level)
package.json → packageManager field
Lock file detection (package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lockb)
~/.claude/package-manager.json (global)
First available manager as fallback

# Set via environment
export CLAUDE_PACKAGE_MANAGER=pnpm

# Set globally
node scripts/setup-package-manager.js --global pnpm

# Set per-project
node scripts/setup-package-manager.js --project bun

# Detect current setting
node scripts/setup-package-manager.js --detect

Skills System

Skills are markdown modules the agent loads to gain domain expertise. Install individually or in bulk.

Using a Skill

# Reference a skill explicitly in your prompt
"Use the search-first skill to find the right caching approach before implementing"

# Or trigger via slash command
/everything-claude-code:research "content hashing strategies for API responses"

Notable Built-in Skills

Skill	Purpose
`search-first`	Research before coding — avoids hallucinated APIs
`cost-aware-llm-pipeline`	Optimizes token spend across model calls
`content-hash-cache-pattern`	Cache invalidation via content hashing
`skill-stocktake`	Audits which skills are loaded and active
`frontend-slides`	Zero-dependency HTML presentation builder
`configure-ecc`	Guided interactive ECC setup wizard
`swift-actor-persistence`	Swift concurrency + persistence patterns
`regex-vs-llm-structured-text`	Decides when to use regex vs LLM parsing

Writing a Custom Skill

Create skills/my-skill.md:

---
name: my-skill
description: What this skill does
triggers:
  - "phrase that activates this skill"
---

# My Skill

## When to Use
...

## Pattern
\`\`\`typescript
// concrete example
\`\`\`

## Rules
- Rule one
- Rule two

Instincts System (Continuous Learning)

Instincts are session-extracted patterns saved for reuse. They carry confidence scores and evolve over time.

Export an Instinct

/everything-claude-code:instinct-import

Instinct File Format

---
name: prefer-zod-for-validation
confidence: 0.92
extracted_from: session-2026-02-14
---

# Action
Always use Zod for runtime schema validation in TypeScript projects.

# Evidence
Caught 3 runtime type errors that TypeScript alone missed during session.

# Examples
\`\`\`typescript
import { z } from 'zod'

const UserSchema = z.object({
  id: z.string().uuid(),
  email: z.string().email(),
  role: z.enum(['admin', 'user'])
})

type User = z.infer<typeof UserSchema>
\`\`\`

Rules Architecture

Rules enforce coding standards per language. Install only what your stack needs.

# TypeScript + Python
./install.sh typescript python

# Check what's installed
ls .claude/rules/

Rule Directory Layout

rules/
├── common/         # Applies to all languages
│   ├── research-first.md
│   ├── security-baseline.md
│   └── verification-loops.md
├── typescript/
│   ├── no-any.md
│   ├── zod-validation.md
│   └── strict-mode.md
├── python/
│   ├── type-hints.md
│   └── django-patterns.md
└── golang/
    └── error-wrapping.md

Agents (Subagent Delegation)

Agents are specialized personas the orchestrator delegates to:

# In your prompt, reference an agent explicitly
"Delegate architecture decisions to the architect agent"
"Use the planner agent to break this feature into tasks"

Available agents include: planner, architect, researcher, verifier, security-auditor, and more. Each lives in agents/<name>.md with its own system prompt, tools list, and constraints.

AgentShield Security Scanning

Run security scans directly from Claude Code:

/everything-claude-code:security-scan

This invokes the AgentShield scanner (1282 tests, 102 rules) against your codebase and surfaces:

Hardcoded secrets
Injection vulnerabilities
Insecure dependencies
Agent prompt injection patterns

Memory Persistence Hooks

ECC hooks automatically save and restore session context:

// hooks/session-start.js — loads prior context on new session
const fs = require('fs')
const path = require('path')

const memoryPath = path.join(process.env.HOME, '.claude', 'session-memory.json')

if (fs.existsSync(memoryPath)) {
  const memory = JSON.parse(fs.readFileSync(memoryPath, 'utf8'))
  console.log('Restored session context:', memory.summary)
}

// hooks/stop.js — saves session summary on exit
const summary = {
  timestamp: new Date().toISOString(),
  summary: process.env.ECC_SESSION_SUMMARY || '',
  skills_used: (process.env.ECC_SKILLS_USED || '').split(',')
}

fs.writeFileSync(memoryPath, JSON.stringify(summary, null, 2))

Cross-Platform Support

Platform	Support
Claude Code	Full (agents, commands, skills, hooks, rules)
Cursor	Full (via `--target cursor` installer flag)
OpenCode	Full (plugin system, 20+ hook event types, 3 native tools)
Codex CLI	Full (`codex.md` generated via `/codex-setup`)
Codex App	Full (`AGENTS.md`-based)
Antigravity	Full (via `--target antigravity` installer flag)

Common Patterns

Research-First Development

"Before implementing the payment webhook handler, use the search-first skill to 
verify current Stripe webhook verification best practices."

Token Optimization

# Route to cheaper model for simple tasks
/everything-claude-code:model-route "Write a unit test for this pure function"

# Use background processes for long analysis
/everything-claude-code:harness-audit

Parallelization with Git Worktrees

# Create isolated worktrees for parallel agent tasks
git worktree add ../feature-auth -b feature/auth
git worktree add ../feature-payments -b feature/payments

# Each Claude Code session operates in its own worktree
# Merge when both complete

Verification Loop

/everything-claude-code:loop-start    # Begin tracked loop
# ... agent does work ...
/everything-claude-code:loop-status   # Check progress
/everything-claude-code:quality-gate  # Enforce pass criteria before merge

Troubleshooting

Plugin commands not found after install

/plugin list everything-claude-code@everything-claude-code
# If empty, re-run: /plugin install everything-claude-code@everything-claude-code

Rules not applied

# Rules require manual install — plugin system cannot distribute them
cd everything-claude-code && ./install.sh typescript
# Verify:
ls ~/.claude/rules/   # or .claude/rules/ in project root

Hooks not firing

# Check profile setting
echo $ECC_HOOK_PROFILE
# Check disabled list
echo $ECC_DISABLED_HOOKS
# Reset to defaults
unset ECC_HOOK_PROFILE
unset ECC_DISABLED_HOOKS

Instinct import drops content Ensure you're on v1.4.1+. Earlier versions had a bug where parse_instinct_file() silently dropped Action/Evidence/Examples sections. Pull latest and re-run.

Wrong package manager used

node scripts/setup-package-manager.js --detect
export CLAUDE_PACKAGE_MANAGER=pnpm   # Override explicitly

Resources

Homepage: https://ecc.tools
GitHub: https://github.com/affaan-m/everything-claude-code
GitHub App (Marketplace): https://github.com/marketplace/ecc-tools
npm (universal): ecc-universal
npm (security): ecc-agentshield
Shorthand Guide: https://x.com/affaanmustafa/status/2012378465664745795
Longform Guide: https://x.com/affaanmustafa/status/2014040193557471352

Files

1 total

Select a file

Select a file to preview.

Comments

Loading comments…