AgentShield

Security auditor for AI agent configurations

Scans Claude Code setups for hardcoded secrets, permission misconfigs, hook injection, MCP server risks, and agent prompt injection vectors. Available as CLI, GitHub Action, and GitHub App integration.

Quick Start · What It Catches · API Reference · Opus Pipeline · GitHub Action · Distribution · MiniClaw · Changelog

Why

The AI agent ecosystem is growing faster than its security tooling. In January 2026 alone:

• 12% of a major agent skill marketplace was malicious (341 of 2,857 community skills)
• A CVSS 8.8 CVE exposed 17,500+ internet-facing instances to one-click RCE
• The Moltbook breach compromised 1.5M API tokens across 770,000 agents

Developers install community skills, connect MCP servers, and configure hooks without any automated way to audit the security of their setup. AgentShield scans your .claude/ directory and flags vulnerabilities before they become exploits.

Built at the Claude Code Hackathon (Cerebral Valley x Anthropic, Feb 2026). Part of the Everything Claude Code ecosystem (42K+ stars).

Quick Start

# Scan your Claude Code config (no install required)
npx ecc-agentshield scan

# Or install globally
npm install -g ecc-agentshield
agentshield scan

That's it. AgentShield auto-discovers your ~/.claude/ directory, scans all config files, and prints a graded security report.

Discovery intentionally skips common generated directories such as node_modules, build output, and .dmux worktree mirrors so transient copies do not duplicate findings.

  AgentShield Security Report

  Grade: F (0/100)

  Score Breakdown
  Secrets        ░░░░░░░░░░░░░░░░░░░░ 0
  Permissions    ░░░░░░░░░░░░░░░░░░░░ 0
  Hooks          ░░░░░░░░░░░░░░░░░░░░ 0
  MCP Servers    ░░░░░░░░░░░░░░░░░░░░ 0
  Agents         ░░░░░░░░░░░░░░░░░░░░ 0

  ● CRITICAL  Hardcoded Anthropic API key
    CLAUDE.md:13
    Evidence: sk-ant-a...cdef
    Fix: Replace with environment variable reference [auto-fixable]

  ● CRITICAL  Overly permissive allow rule: Bash(*)
    settings.json
    Evidence: Bash(*)
    Fix: Restrict to specific commands: Bash(git *), Bash(npm *), Bash(node *)

  Summary
  Files scanned: 6
  Findings: 73 total — 19 critical, 29 high, 15 medium, 4 low, 6 info
  Auto-fixable: 8 (use --fix)

More commands

# Scan a specific directory
agentshield scan --path /path/to/.claude

# Auto-fix safe issues (replaces hardcoded secrets with env var references)
agentshield scan --fix

# JSON output for CI pipelines
agentshield scan --format json

# Generate an HTML executive security report
agentshield scan --format html > report.html

# Generate a portable audit bundle
agentshield scan --evidence-pack ./agentshield-evidence

# Three-agent Opus 4.6 adversarial analysis (requires ANTHROPIC_API_KEY)
agentshield scan --opus --stream

# Generate a secure baseline config
agentshield init

JSON reports now expose findings[].runtimeConfidence when AgentShield can distinguish active runtime config from project-local settings, template/example inventories, installed Claude plugin caches, declarative plugin manifests, and manifest-resolved non-shell hook implementations. Reports also include local harness adapter evidence for Claude Code, OpenCode, Codex, Gemini, Zed, VS Code, dmux, terminal-agent wrappers, and project-local templates when matching markers are present.

What It Catches

102 rules across 5 categories, graded A–F with a 0–100 numeric score.

Secrets Detection

Permission Audit (10 rules)

Hook Analysis (34 rules)

MCP Server Security (23 rules)

Supply-chain verification (agentshield scan --supply-chain) extracts MCP package references plus root package.json and package-lock.json dependency evidence, then reports provenance counts for npm vs git, pinned vs unpinned, known-good packages, and npm-registry-backed metadata. Add --supply-chain-online to query npm for downloads, maintainers, postinstall scripts, deprecation, and package age.

Package-manager hardening checks also scan .npmrc, .yarnrc.yml, and pnpm-workspace.yaml for plaintext registry credentials, explicit dependency lifecycle-script enablement, and missing or weak release-age cooldowns where the package manager supports them. npm configs are checked for lifecycle-script blocking and unsupported release-age keys that can create false confidence; use pnpm minimumReleaseAge / minimum-release-age, Yarn npmMinimalAgeGate, or an external package-manager policy wrapper for cooldown enforcement.

AgentShield also scans AI developer-tool persistence surfaces used by recent npm and PyPI campaign payloads, including Claude Code hook settings, .claude/router_runtime.js, VS Code tasks.json folder-open automation, Zed project tasks.json, .vscode/setup.mjs, .zed/setup.mjs, GitHub workflow drop-ins, LaunchAgent/systemd dead-man switch artifacts, gh-token-monitor token-store files, metadata-service credential targets, and reported exfiltration or second-stage network indicators. These indicators are emitted as critical hook findings so CI can fail fast even after the malicious package has been uninstalled.

MCP Confidence Notes

AgentShield scans both active MCP config and repository-shipped MCP templates.

• Findings from mcp.json, .claude/mcp.json, .claude.json, and active settings.json should be treated as the highest-confidence runtime exposure.
• Findings from settings.local.json are emitted as runtimeConfidence: project-local-optional.
• Findings from locations such as mcp-configs/, config/mcp/, or configs/mcp/ indicate risky MCP definitions present in repository templates, not guaranteed active runtime enablement.
• JSON, markdown, terminal, and HTML outputs now expose source context via runtimeConfidence: active-runtime | project-local-optional | template-example | docs-example | plugin-cache | plugin-manifest | hook-code.
• Non-secret template-example MCP findings are score-weighted at 0.25x, and one