Audit Claude Code configurations for security vulnerabilities, misconfigurations, and injection risks.
Works with
Scans five configuration areas: CLAUDE.md , settings.json , MCP servers, hooks, and agent definitions for hardcoded secrets, prompt injection patterns, overly permissive permissions, and command injection risks
Provides four output formats (terminal, JSON, Markdown, HTML) and integrates with CI/CD via GitHub Action with configurable severity filtering
Includes auto-fix mode for safe
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionsecurity-scanExecute the skills CLI command in your project's root directory to begin installation:
Fetches security-scan from affaan-m/everything-claude-code and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate security-scan. Access via /security-scan in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Create detailed user stories, acceptance criteria, and feature specs
Example
Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios
Reduce spec writing time by 50%, ensure comprehensive coverage
Research competitors, compare features, identify gaps
Example
Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities
Complete competitive research in 2 hours instead of 2 days
Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs
Example
Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale
0
total installs
0
this week
142.9K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
142.9K
stars
Audit your Claude Code configuration for security issues using AgentShield.
.claude/settings.json, CLAUDE.md, or MCP configs| File | Checks |
|---|---|
CLAUDE.md |
Hardcoded secrets, auto-run instructions, prompt injection patterns |
settings.json |
Overly permissive allow lists, missing deny lists, dangerous bypass flags |
mcp.json |
Risky MCP servers, hardcoded env secrets, npx supply chain risks |
hooks/ |
Command injection via interpolation, data exfiltration, silent error suppression |
agents/*.md |
Unrestricted tool access, prompt injection surface, missing model specs |
AgentShield must be installed. Check and install if needed:
# Check if installed
npx ecc-agentshield --version
# Install globally (recommended)
npm install -g ecc-agentshield
# Or run directly via npx (no install needed)
npx ecc-agentshield scan .
Run against the current project's .claude/ directory:
# Scan current project
npx ecc-agentshield scan
# Scan a specific path
npx ecc-agentshield scan --path /path/to/.claude
# Scan with minimum severity filter
npx ecc-agentshield scan --min-severity medium
# Terminal output (default) — colored report with grade
npx ecc-agentshield scan
# JSON — for CI/CD integration
npx ecc-agentshield scan --format json
# Markdown — for documentation
npx ecc-agentshield scan --format markdown
# HTML — self-contained dark-theme report
npx ecc-agentshield scan --format html > security-report.html
Apply safe fixes automatically (only fixes marked as auto-fixable):
npx ecc-agentshield scan --fix
This will:
Run the adversarial three-agent pipeline for deeper analysis:
# Requires ANTHROPIC_API_KEY
export ANTHROPIC_API_KEY=your-key
npx ecc-agentshield scan --opus --stream
This runs:
Scaffold a new secure .claude/ configuration from scratch:
npx ecc-agentshield init
Creates:
settings.json with scoped permissions and deny listCLAUDE.md with security best practicesmcp.json placeholderAdd to your CI pipeline:
- uses: affaan-m/agentshield@v1
with:
path: '.'
min-severity: 'medium'
fail-on-findings: true
| Grade | Score | Meaning |
|---|---|---|
| A | 90-100 | Secure configuration |
| B | 75-89 | Minor issues |
| C | 60-74 | Needs attention |
| D | 40-59 | Significant risks |
| F | 0-39 | Critical vulnerabilities |
Bash(*) in the allow list (unrestricted shell access)${file} interpolation2>/dev/null, || true)npx -y auto-install in MCP server configsMake data-driven prioritization decisions faster
Draft PRDs, status updates, and stakeholder presentations
Example
Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement
Save 3-5 hours/week on communication overhead
Prerequisites
Time Estimate
30-60 minutes to see productivity improvements
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
✗ Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
shadcn/improve
mattpocock/skills
parcadei/continuous-claude-v3
cursor/plugins
ailabs-393/ai-labs-claude-skills
pproenca/dot-skills
security-scan reduced setup friction for our internal harness; good balance of opinion and flexibility.
security-scan has been reliable in day-to-day use. Documentation quality is above average for community skills.
I recommend security-scan for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
security-scan fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Useful defaults in security-scan — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
We added security-scan from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Solid pick for teams standardizing on skills: security-scan is focused, and the summary matches what you get after install.
Keeps context tight: security-scan is the kind of skill you can hand to a new teammate without a long onboarding doc.
I recommend security-scan for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
security-scan has been reliable in day-to-day use. Documentation quality is above average for community skills.
showing 1-10 of 34