Security Scan

Audit Claude Code configuration for security issues using AgentShield.

When to Activate

• Setting up a new Claude Code project
• After modifying settings.json, CLAUDE.md, or MCP configs
• Before committing configuration changes
• Onboarding to repo with existing configs
• Periodic security hygiene checks

What It Scans

• CLAUDE.md — Hardcoded secrets, auto-run instructions, injection patterns
• settings.json — Overly permissive allow lists, missing deny lists
• mcp.json — Risky MCP servers, hardcoded env secrets
• hooks/ — Command injection via interpolation, data exfiltration
• agents/ — Unrestricted tool access, missing model specs

Setup & Usage

# Install globally (recommended)
npm install -g ecc-agentshield

# Or run via npx (no install needed)
npx ecc-agentshield scan

Commands

# Basic scan
npx ecc-agentshield scan

# Scan specific path
npx ecc-agentshield scan --path /path/to/.claude

# Filter by severity
npx ecc-agentshield scan --min-severity medium

# Output formats
npx ecc-agentshield scan --format json
npx ecc-agentshield scan --format markdown
npx ecc-agentshield scan --format html > report.html

# Auto-fix safe issues
npx ecc-agentshield scan --fix

# Deep analysis (requires ANTHROPIC_API_KEY)
npx ecc-agentshield scan --opus --stream

# Initialize secure config
npx ecc-agentshield init

Severity Grades

Grade	Score	Meaning
A	90-100	Secure
B	75-89	Minor issues
C	60-74	Needs attention
D	40-59	Significant risks
F	0-39	Critical

Critical Findings (Fix Immediately)

• Hardcoded API keys in config
• Bash(*) unrestricted shell access
• Command injection via ${file} interpolation
• Shell-running MCP servers

High Findings (Fix Before Production)

• Auto-run instructions in CLAUDE.md
• Missing deny lists
• Unnecessary Bash access in agents