security-scan — ai-agents security-scan, everything-claude-code, official, ai-agents, ide skills, anthropic, claude-code, developer-tools, Claude Code, Cursor, Windsurf

Verified
v1.0.0
GitHub

About this Skill

Perfect for AI Agents like Claude Code, AutoGPT, and LangChain needing comprehensive security vulnerability scanning and misconfiguration detection in their configurations. Scan your Claude Code configuration (.claude/ directory) for security vulnerabilities, misconfigurations, and injection risks using AgentShield. Checks CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions.

# Core Topics

ai-agents anthropic claude-code developer-tools
affaan-m affaan-m
[60.6k]
[7501]
Updated: 3/5/2026

Agent Capability Analysis

The security-scan skill by affaan-m is an open-source official AI agent skill for Claude Code and other IDE workflows, helping agents execute tasks with better context, repeatability, and domain-specific guidance. Optimized for ai-agents, anthropic, claude-code.

Ideal Agent Persona

Perfect for AI Agents like Claude Code, AutoGPT, and LangChain needing comprehensive security vulnerability scanning and misconfiguration detection in their configurations.

Core Value

Empowers agents to detect security vulnerabilities, misconfigurations, and injection risks in their Claude Code configurations using AgentShield, scanning files like CLAUDE.md and settings.json, and checking MCP servers, hooks, and agent definitions for potential security issues.

Capabilities Granted for security-scan

Scanning Claude Code configurations for security vulnerabilities
Auditing settings.json and CLAUDE.md files for misconfigurations
Detecting injection risks in MCP servers and agent definitions
Performing periodic security hygiene checks on existing configurations

! Prerequisites & Limits

  • Requires AgentShield installation
  • Specific to Claude Code configurations
  • Needs access to .claude/ directory and its files
Labs Demo

Browser Sandbox Environment

⚡️ Ready to unleash?

Experience this Agent in a zero-setup browser environment powered by WebContainers. No installation required.

Boot Container Sandbox

security-scan

Install security-scan, an AI agent skill for AI agent workflows and automation. Works with Claude Code, Cursor, and Windsurf with one-command setup.

SKILL.md
Readonly

Security Scan Skill

Audit your Claude Code configuration for security issues using AgentShield.

When to Activate

  • Setting up a new Claude Code project
  • After modifying .claude/settings.json, CLAUDE.md, or MCP configs
  • Before committing configuration changes
  • When onboarding to a new repository with existing Claude Code configs
  • Periodic security hygiene checks

What It Scans

FileChecks
CLAUDE.mdHardcoded secrets, auto-run instructions, prompt injection patterns
settings.jsonOverly permissive allow lists, missing deny lists, dangerous bypass flags
mcp.jsonRisky MCP servers, hardcoded env secrets, npx supply chain risks
hooks/Command injection via interpolation, data exfiltration, silent error suppression
agents/*.mdUnrestricted tool access, prompt injection surface, missing model specs

Prerequisites

AgentShield must be installed. Check and install if needed:

bash
1# Check if installed
2npx ecc-agentshield --version
3
4# Install globally (recommended)
5npm install -g ecc-agentshield
6
7# Or run directly via npx (no install needed)
8npx ecc-agentshield scan .

Usage

Basic Scan

Run against the current project's .claude/ directory:

bash
1# Scan current project
2npx ecc-agentshield scan
3
4# Scan a specific path
5npx ecc-agentshield scan --path /path/to/.claude
6
7# Scan with minimum severity filter
8npx ecc-agentshield scan --min-severity medium

Output Formats

bash
1# Terminal output (default) — colored report with grade
2npx ecc-agentshield scan
3
4# JSON — for CI/CD integration
5npx ecc-agentshield scan --format json
6
7# Markdown — for documentation
8npx ecc-agentshield scan --format markdown
9
10# HTML — self-contained dark-theme report
11npx ecc-agentshield scan --format html > security-report.html

Auto-Fix

Apply safe fixes automatically (only fixes marked as auto-fixable):

bash
1npx ecc-agentshield scan --fix

This will:

  • Replace hardcoded secrets with environment variable references
  • Tighten wildcard permissions to scoped alternatives
  • Never modify manual-only suggestions

Opus 4.6 Deep Analysis

Run the adversarial three-agent pipeline for deeper analysis:

bash
1# Requires ANTHROPIC_API_KEY
2export ANTHROPIC_API_KEY=your-key
3npx ecc-agentshield scan --opus --stream

This runs:

  1. Attacker (Red Team) — finds attack vectors
  2. Defender (Blue Team) — recommends hardening
  3. Auditor (Final Verdict) — synthesizes both perspectives

Initialize Secure Config

Scaffold a new secure .claude/ configuration from scratch:

bash
1npx ecc-agentshield init

Creates:

  • settings.json with scoped permissions and deny list
  • CLAUDE.md with security best practices
  • mcp.json placeholder

GitHub Action

Add to your CI pipeline:

yaml
1- uses: affaan-m/agentshield@v1
2  with:
3    path: '.'
4    min-severity: 'medium'
5    fail-on-findings: true

Severity Levels

GradeScoreMeaning
A90-100Secure configuration
B75-89Minor issues
C60-74Needs attention
D40-59Significant risks
F0-39Critical vulnerabilities

Interpreting Results

Critical Findings (fix immediately)

  • Hardcoded API keys or tokens in config files
  • Bash(*) in the allow list (unrestricted shell access)
  • Command injection in hooks via ${file} interpolation
  • Shell-running MCP servers

High Findings (fix before production)

  • Auto-run instructions in CLAUDE.md (prompt injection vector)
  • Missing deny lists in permissions
  • Agents with unnecessary Bash access
  • Silent error suppression in hooks (2>/dev/null, || true)
  • Missing PreToolUse security hooks
  • npx -y auto-install in MCP server configs

Info Findings (awareness)

  • Missing descriptions on MCP servers
  • Prohibitive instructions correctly flagged as good practice

FAQ & Installation Steps

These questions and steps mirror the structured data on this page for better search understanding.

? Frequently Asked Questions

What is security-scan?

Perfect for AI Agents like Claude Code, AutoGPT, and LangChain needing comprehensive security vulnerability scanning and misconfiguration detection in their configurations. Scan your Claude Code configuration (.claude/ directory) for security vulnerabilities, misconfigurations, and injection risks using AgentShield. Checks CLAUDE.md, settings.json, MCP servers, hooks, and agent definitions.

How do I install security-scan?

Run the command: npx killer-skills add affaan-m/everything-claude-code/security-scan. It works with Cursor, Windsurf, VS Code, Claude Code, and 19+ other IDEs.

What are the use cases for security-scan?

Key use cases include: Scanning Claude Code configurations for security vulnerabilities, Auditing settings.json and CLAUDE.md files for misconfigurations, Detecting injection risks in MCP servers and agent definitions, Performing periodic security hygiene checks on existing configurations.

Which IDEs are compatible with security-scan?

This skill is compatible with Cursor, Windsurf, VS Code, Trae, Claude Code, OpenClaw, Aider, Codex, OpenCode, Goose, Cline, Roo Code, Kiro, Augment Code, Continue, GitHub Copilot, Sourcegraph Cody, and Amazon Q Developer. Use the Killer-Skills CLI for universal one-command installation.

Are there any limitations for security-scan?

Requires AgentShield installation. Specific to Claude Code configurations. Needs access to .claude/ directory and its files.

How To Install

  1. 1. Open your terminal

    Open the terminal or command line in your project directory.

  2. 2. Run the install command

    Run: npx killer-skills add affaan-m/everything-claude-code/security-scan. The CLI will automatically detect your IDE or AI agent and configure the skill.

  3. 3. Start using the skill

    The skill is now active. Your AI agent can use security-scan immediately in the current project.

Related Skills

Looking for an alternative to security-scan or another official skill for your workflow? Explore these related open-source skills.

View All

flags

Logo of facebook
facebook

Use when you need to check feature flag states, compare channels, or debug why a feature behaves differently across release channels.

243.6k
0
Developer

extract-errors

Logo of facebook
facebook

Use when adding new error messages to React, or seeing unknown error code warnings.

243.6k
0
Developer

fix

Logo of facebook
facebook

Use when you have lint errors, formatting issues, or before committing code to ensure it passes CI.

243.6k
0
Developer

flow

Logo of facebook
facebook

Use when you need to run Flow type checking, or when seeing Flow type errors in React code.

243.6k
0
Developer

Related Collections

View All Collections →
12 AI Agent Tools & Integrations for Developer Workflows | AI Agent Skills[12]Top Claude Code Skills & Agent Workflows | AI Agent Skills[6]Community Skills & AI Utilities | AI Agent Skills[12]Developer Tooling for AI Agent Work | AI Agent Skills[12]Community Skills & Frameworks for AI Agent Builders | AI Agent Skills[11]AI Agent Workflow Skills, Integrations, and Utilities | AI Agent Skills[12]12 Official AI Skills & Trusted Tools | AI Agent Skills[12]Productivity Tools for AI-Enabled Developers | AI Agent Skills[5]Top Windsurf Skills & AI Agent Workflows | AI Agent Skills[5]