# AgentShield — Security Audit for Claude Code > Security auditor for Claude Code configs. Scans `.claude/` for secrets, risky permissions, hook injection, and MCP misconfigs; outputs CI-ready reports. ## Install Copy the content below into your project: ## Quick Use ```bash # No-install scan (README) npx ecc-agentshield scan # Or install globally npm install -g ecc-agentshield agentshield scan ``` ## Intro AgentShield is a security auditor for Claude Code setups that scans your agent configuration directory and flags secrets, permission misconfigs, hook injection, and risky MCP patterns. **Best for:** Hardening `.claude/` configs before sharing them across a team **Works with:** macOS/Linux/Windows; runs via `npx` or npm; targets Claude Code config layouts (README) **Setup time:** 5–15 minutes ### Key facts (verified) - Quick start uses `npx ecc-agentshield scan` (README). - README lists rule buckets like Secrets Detection, Hook Analysis, and MCP Server Security with per-bucket rule counts. - GitHub: 626 stars · 134 forks; pushed 2026-05-13 (GitHub API verified). ## Main A practical team workflow: 1) Run AgentShield on your shared `.claude/` template repo and check in a baseline JSON report. 2) Use CI to fail only on medium/high findings at first, then tighten thresholds once false positives are understood. 3) Treat MCP server configs as production dependencies: pin versions, document env vars, and review diffs. ### README excerpt (verbatim)
AgentShield # AgentShield **Security auditor for AI agent configurations** Scans Claude Code setups for hardcoded secrets, permission misconfigs,
hook injection, MCP server risks, and agent prompt injection vectors.
Available as CLI, GitHub Action, and [GitHub App](https://github.com/apps/ecc-tools) integration. [![npm version](https://img.shields.io/npm/v/ecc-agentshield)](https://www.npmjs.com/package/ecc-agentshield) [![npm downloads](https://img.shields.io/npm/dm/ecc-agentshield)](https://www.npmjs.com/package/ecc-agentshield) [![tests](https://img.shields.io/badge/tests-passing-brightgreen)]() [![coverage](https://img.shields.io/badge/coverage-v8-blue)]() [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE) [Quick Start](#quick-start) · [What It Catches](#what-it-catches) · [API Reference](#api-reference) · [Opus Pipeline](#opus-46-deep-analysis---opus) · [GitHub Action](#github-action) · [Distribution](#distribution) · [MiniClaw](#miniclaw) · [Changelog](./CHANGELOG.md)
--- ## Why The AI agent ecosystem is growing faster than its security tooling. In January 2026 alone: - **12%** of a major agent skill marketplace was malicious (341 of 2,857 community skills) - A **CVSS 8.8** CVE exposed 17,500+ internet-facing instances to one-click RCE - The Moltbook breach compromised **1.5M API tokens** across 770,000 agents Developers install community skills, connect MCP servers, and configure hooks without any automated way to audit the security of their setup. AgentShield scans your `.claude/` directory and flags vulnerabilities before they become exploits. Built at the [Claude Code Hackathon](https://cerebralvalley.ai/e/claude-code-hackathon) (Cerebral Valley x Anthropic, Feb 2026). Part of the [Everything Claude Code](https://github.com/affaan-m/everything-claude-code) ecosystem (42K+ stars). ## Quick Start ```bash # Scan your Claude Code config (no install required) npx ecc-agentshield scan # Or install globally npm install -g ecc-agentshield agentshield scan ``` That's it. AgentShield auto-discovers your `~/.claude/` directory, scans all config files, and prints a graded security report. Discovery intentionally skips common generated directories such as `node_modules`, build output, and `.dmux` worktree mirrors so transient copies do not duplicate findings. ``` AgentShield Security Report Grade: F (0/100) Score Breakdown Secrets ░░░░░░░░░░░░░░░░░░░░ 0 Permissions ░░░░░░░░░░░░░░░░░░░░ 0 ### FAQ **Q: Do I need to install it?** A: README shows a no-install path using `npx ecc-agentshield scan`. **Q: What does it scan?** A: README describes scanning Claude Code configs for secrets, permissions, hooks, and MCP server risks. **Q: How do I use it in CI?** A: Use the machine-readable JSON/Markdown outputs and fail the pipeline based on a severity threshold. ## Source & Thanks > Source: https://github.com/affaan-m/agentshield > License: MIT > GitHub stars: 626 · forks: 134 --- ## 快速使用 ```bash # 免安装扫描(README) npx ecc-agentshield scan # 或全局安装 npm install -g ecc-agentshield agentshield scan ``` ## 简介 AgentShield 是一个面向 Claude Code 的安全审计器:扫描你的 agent 配置目录,识别密钥泄露、权限配置不当、hook 注入与高风险 MCP 模式。 **最适合:** 在团队共享 `.claude/` 配置前做加固与审计 **适配:** macOS/Linux/Windows;可用 `npx` 或 npm 运行;针对 Claude Code 配置结构做审计(README) **配置时间:** 5–15 分钟 ### 关键事实(已验证) - README 的 Quick Start 直接用 `npx ecc-agentshield scan` 扫描。 - README 列出 Secrets/Hook/MCP 等规则分类,并标注了每类的规则数量。 - GitHub:626 stars · 134 forks;最近更新 2026-05-13(GitHub API 验证)。 ## 正文 一个实用的团队落地方式: 1) 对团队共享的 `.claude/` 模板仓库跑 AgentShield,并提交一份 baseline 的 JSON 报告。 2) CI 初期先只对 medium/high 失败;等你理解误报模式后再逐步收紧阈值。 3) 把 MCP server 配置当生产依赖:固定版本、写清 env、review 每次 diff。 ### README 原文节选(verbatim)
AgentShield # AgentShield **Security auditor for AI agent configurations** Scans Claude Code setups for hardcoded secrets, permission misconfigs,
hook injection, MCP server risks, and agent prompt injection vectors.
Available as CLI, GitHub Action, and [GitHub App](https://github.com/apps/ecc-tools) integration. [![npm version](https://img.shields.io/npm/v/ecc-agentshield)](https://www.npmjs.com/package/ecc-agentshield) [![npm downloads](https://img.shields.io/npm/dm/ecc-agentshield)](https://www.npmjs.com/package/ecc-agentshield) [![tests](https://img.shields.io/badge/tests-passing-brightgreen)]() [![coverage](https://img.shields.io/badge/coverage-v8-blue)]() [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE) [Quick Start](#quick-start) · [What It Catches](#what-it-catches) · [API Reference](#api-reference) · [Opus Pipeline](#opus-46-deep-analysis---opus) · [GitHub Action](#github-action) · [Distribution](#distribution) · [MiniClaw](#miniclaw) · [Changelog](./CHANGELOG.md)
--- ## Why The AI agent ecosystem is growing faster than its security tooling. In January 2026 alone: - **12%** of a major agent skill marketplace was malicious (341 of 2,857 community skills) - A **CVSS 8.8** CVE exposed 17,500+ internet-facing instances to one-click RCE - The Moltbook breach compromised **1.5M API tokens** across 770,000 agents Developers install community skills, connect MCP servers, and configure hooks without any automated way to audit the security of their setup. AgentShield scans your `.claude/` directory and flags vulnerabilities before they become exploits. Built at the [Claude Code Hackathon](https://cerebralvalley.ai/e/claude-code-hackathon) (Cerebral Valley x Anthropic, Feb 2026). Part of the [Everything Claude Code](https://github.com/affaan-m/everything-claude-code) ecosystem (42K+ stars). ## Quick Start ```bash # Scan your Claude Code config (no install required) npx ecc-agentshield scan # Or install globally npm install -g ecc-agentshield agentshield scan ``` That's it. AgentShield auto-discovers your `~/.claude/` directory, scans all config files, and prints a graded security report. Discovery intentionally skips common generated directories such as `node_modules`, build output, and `.dmux` worktree mirrors so transient copies do not duplicate findings. ``` AgentShield Security Report Grade: F (0/100) Score Breakdown Secrets ░░░░░░░░░░░░░░░░░░░░ 0 Permissions ░░░░░░░░░░░░░░░░░░░░ 0 ### FAQ **必须安装吗?** 答:README 提供免安装方式:`npx ecc-agentshield scan`。 **主要扫描什么?** 答:README 说明会扫描 Claude Code 配置中的密钥、权限、hooks 与 MCP server 风险。 **怎么接入 CI?** 答:使用 JSON/Markdown 等机器可读输出,并按严重级别阈值让流水线失败。 ## 来源与感谢 > Source: https://github.com/affaan-m/agentshield > License: MIT > GitHub stars: 626 · forks: 134 --- Source: https://tokrepo.com/en/workflows/agentshield-security-audit-for-claude-code Author: Script Depot