ClawHub

Claude Code Security Scan

v1.0.0

Audit Claude Code configuration for security vulnerabilities, misconfigurations, and injection risks using AgentShield. Scans settings, MCP servers, hooks, a...

0· 16·0 current·0 all-time
byDeonte Cooper@djc00p
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (audit Claude Code configs with AgentShield) matches the declared requirements: node/npm are listed and the SKILL.md instructs running the npm package ecc-agentshield. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Instructions explicitly tell the agent to scan CLAUDE.md, settings.json, mcp.json, hooks/, and agents/ — all within the stated purpose. However the SKILL.md exposes an optional deep analysis flag (--opus --stream) that requires ANTHROPIC_API_KEY and would transmit scanned content to an external API; the document does not warn about sending sensitive configuration or secrets to an external service.
Install Mechanism
There is no install spec in the registry (instruction-only), but SKILL.md recommends npm install -g or npx ecc-agentshield. Using npx installs/executes code from the public npm registry at runtime — a moderate risk if the package is unvetted or malicious. No direct download URLs or extract steps are present, which is better than arbitrary URL downloads, but the package identity/source is unknown (no homepage or repository listed).
Credentials
The skill declares no required environment variables and lists ANTHROPIC_API_KEY as optional for deep analysis; this is proportionate to the optional feature. There are no unrelated or excessive credential requests. Be aware that providing ANTHROPIC_API_KEY will allow the tool to send scanned data to an external API.
Persistence & Privilege
always is false and there is no install script or code in the skill bundle that would persist or modify other skills or system settings. The skill is instruction-only and does not demand permanent presence or elevated privileges.
Assessment
This skill is coherent for its stated purpose (running an npm-based Claude Code config scanner) but has two operational risks you should consider before installing/using it: - npx/npm execution risk: The recommended usage runs ecc-agentshield from the npm registry. npx executes code fetched from npm at run time — only run this if you trust the package author or after reviewing the package source (repository, package contents, and maintainers). Prefer installing in a sandbox or CI job with limited access. - Data exfiltration risk via optional Anthropic mode: The SKILL.md includes a deep-analysis flag that requires ANTHROPIC_API_KEY; using it will send configuration contents (possibly including secrets) to Anthropic. Don’t provide that key unless you intend to send potentially sensitive config to an external service. Consider running scans offline or redacting secrets first. Practical steps: review the ecc-agentshield npm package (repo, recent releases, maintainers), prefer npx with version pinning (npx ecc-agentshield@1.2.3), run it in an isolated container or CI with no unnecessary credentials mounted, and avoid passing ANTHROPIC_API_KEY or other secrets unless you explicitly want cloud-based analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk979mg173w3q8vr7zkfvqq4vt5848tv6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔒 Clawdis
OSLinux · macOS · Windows
Binsnpm, node

Comments