Claude Code Security Scan

The skill's requirements and instructions are internally consistent for running an npm-based config scanner, but it relies on running an unvetted npm package (via npm/npx) and includes an optional external-analysis mode that can send sensitive config data to Anthropic — exercise caution before running.

This skill is coherent for its stated purpose (running an npm-based Claude Code config scanner) but has two operational risks you should consider before installing/using it: - npx/npm execution risk: The recommended usage runs ecc-agentshield from the npm registry. npx executes code fetched from npm at run time — only run this if you trust the package author or after reviewing the package source (repository, package contents, and maintainers). Prefer installing in a sandbox or CI job with limited access. - Data exfiltration risk via optional Anthropic mode: The SKILL.md includes a deep-analysis flag that requires ANTHROPIC_API_KEY; using it will send configuration contents (possibly including secrets) to Anthropic. Don’t provide that key unless you intend to send potentially sensitive config to an external service. Consider running scans offline or redacting secrets first. Practical steps: review the ecc-agentshield npm package (repo, recent releases, maintainers), prefer npx with version pinning (npx ecc-agentshield@1.2.3), run it in an isolated container or CI with no unnecessary credentials mounted, and avoid passing ANTHROPIC_API_KEY or other secrets unless you explicitly want cloud-based analysis.