Security audit tool for Claude Desktop and Claude Code on macOS — single-command visibility into MCP servers, extensions, plugins, connectors, scheduled tasks, and permissions.
# Add to your Claude Code skills
git clone https://github.com/HarmonicSecurity/claudit-secGuides for using mcp servers skills like claudit-sec.
Security audit tool for Claude Desktop on macOS and Windows — including CoWork, extensions, plugins, MCP servers, connectors, and scheduled tasks.
One command. Full visibility. Read-only.
⚠️ Windows support is a work in progress. We're aware of a few kinks and bugs and wanted to get something out sooner rather than later. Community feedback and contributions are welcome.
Claude Desktop introduces a new class of endpoint risk: AI agents with autonomous execution, persistent scheduled tasks, MCP server integrations, browser-control extensions, and OAuth-authenticated connectors to external services. Most of this configuration lives in JSON files scattered across multiple directories with no centralised visibility.
CLAUDIT gives you that visibility in a single command.
📝 A note on "Code": Claude Desktop includes a built-in agent coding feature called Code (visible in the app's sidebar). This is not the same as Claude Code, the standalone terminal CLI. CLAUDIT primarily audits Claude Desktop and its CoWork features. It does include a basic check of the Claude Code settings file (
~/.claude/settings.jsonon macOS,%USERPROFILE%\.claude\settings.jsonon Windows), but the focus is squarely on the Desktop app.
| Area | What's Checked |
|------|---------------|
| 🖥️ Desktop Settings | keepAwakeEnabled, sidebar/menuBar preferences |
| 🤖 CoWork Settings | Scheduled tasks, web search, browser use, dispatch (mobile→desktop), network mode, egress policy, enabled plugins, marketplaces |
| 🏢 Workspaces | Multi-workspace detection, account names, session counts, org indicators (DXT-managed, org-plugins, dispatch-bridge) |
| 🔌 | Server names, commands, arguments, environment variable keys |
| 🧩 | Installed extensions, signature status, dangerous tool grants |
| ⚙️ | Per-extension allowed directories and configuration |
| 🚦 | Allowlist enabled/disabled, blocklist entries |
| 📦 | Installed, remote (org-deployed), cached (downloaded) |
| 🪝 | Lifecycle hooks executing shell commands (PreToolUse, PostToolUse, Stop, etc.) |
| 🔗 | OAuth-authenticated web services, desktop integrations |
| 🎯 | User-created, scheduled, session-local, and plugin skills across 9 paths |
| ⏰ | Task names, cron expressions (with plain English translation) |
| 🔐 | Network mode, extension allowlist/blocklist keys, device identifiers |
| 📲 | Bridge state (OFF/CONFIGURED/ON), active session detection via and |
| 🔇 | Per-session tools explicitly disabled (with dangerous tool callout) |
| 🏃 | Running processes, sleep assertions, LaunchAgents, crontab entries |
| 🍪 | and presence |
No comments yet. Be the first to share your thoughts!
Top skills in this category by stars
hostLoopModebridge-state.jsonCookiesCookies-journal📖 For a detailed breakdown of every individual check, what it means, and why it matters, see the Findings Reference.
macOS:
| Requirement | How to check | How to install |
|-------------|-------------|---------------|
| 🍎 macOS | You're on a Mac | — |
| 🐚 zsh | zsh --version | Ships with macOS since Catalina |
| 🔧 jq | jq --version | brew install jq |
Windows:
| Requirement | How to check | How to install |
|-------------|-------------|---------------|
| 🪟 Windows 10/11 | You're on a PC | — |
| ⚡ PowerShell 5.1+ | $PSVersionTable.PSVersion | Ships with Windows 10+ |
| — | No additional dependencies | Fully self-contained |
macOS:
git clone https://github.com/HarmonicSecurity/claudit-sec.git
cd claudit-sec
chmod +x claude_audit.sh
./claude_audit.sh
Windows:
git clone https://github.com/HarmonicSecurity/claudit-sec.git
cd claudit-sec
powershell -ExecutionPolicy Bypass -File claude_audit.ps1
That's it. The script reads your Claude configuration and prints a colour-coded report to the terminal. It never modifies anything.
macOS:
./claude_audit.sh [OPTIONS]
Options:
--html [FILE] Generate a standalone HTML report
--json Output structured JSON
--user USER Audit a specific user
--all-users Audit all users with Claude data (requires root)
-q, --quiet Only show WARN and CRITICAL findings
--version Print version and exit
-h, --help Show usage
Windows:
powershell -ExecutionPolicy Bypass -File claude_audit.ps1 [OPTIONS]
Options:
-Html [FILE] Generate a standalone HTML report
-Json Output structured JSON
-User USER Audit a specific user
-AllUsers Audit all users with Claude data (requires admin)
-Quiet Only show WARN and CRITICAL findings
-Version Print version and exit
-Help Show usage
macOS:
# Default: colour output in terminal
./claude_audit.sh
# Only warnings and critical findings
./claude_audit.sh -q
# Standalone HTML report
./claude_audit.sh --html
# JSON for SIEM ingestion
./claude_audit.sh --json > audit.json
# Specific user
./claude_audit.sh --user jsmith
# All users (run as root via MDM — FleetDM, Jamf, Mosyle, CrowdStrike RTR)
sudo ./claude_audit.sh
Windows:
# Default: colour output in terminal
powershell -ExecutionPolicy Bypass -File claude_audit.ps1
# Only warnings and critical findings
powershell -ExecutionPolicy Bypass -File claude_audit.ps1 -Quiet
# Standalone HTML report
powershell -ExecutionPolicy Bypass -File claude_audit.ps1 -Html
# JSON for SIEM ingestion
powershell -ExecutionPolicy Bypass -File claude_audit.ps1 -Json > audit.json
# Specific user
powershell -ExecutionPolicy Bypass -File claude_audit.ps1 -User jsmith
# All users (run as admin via MDM — Intune, CrowdStrike RTR)
powershell -ExecutionPolicy Bypass -File claude_audit.ps1 -AllUsers
💡 macOS: When run as root (uid 0), the script automatically discovers and scans all users with Claude data. No flags needed.
💡 Windows: When run as Administrator, the script can scan all users with the
-AllUsersflag. MDM tools like Intune and CrowdStrike RTR execute scripts with elevated privileges.
Colour-coded output with Unicode tables and severity indicators.
--html)Standalone dark-themed report with collapsible sections. Created with restrictive file permissions (0600).
--json)Structured output for SIEM ingestion. Sensitive fields (OAuth tokens, API keys, secrets) are automatically redacted. Multi-user scans produce a JSON array.
| Severity | Meaning | |----------|---------| | 🟠 WARN | Increases risk surface — e.g. unsigned extensions, autonomous execution enabled | | 🟡 REVIEW | Needs human judgement — e.g. org-deployed plugins, MCP servers present | | 🔵 INFO | Informational — e.g. Claude is running, permissions granted |
| Doc | Description | |-----|-------------| | Findings Reference | Every individual check CLAUDIT performs, what it means, why it matters (risk, compliance, AI enablement), and what to do about it |
[REDACTED] in all output formatsjq; Windows is fully self-contained (no external dependencies)claude_audit.sh on macOS, claude_audit.ps1 on Windows)This project is built and maintained using Claude Code. We love it. Seriously. If you're building developer tools and haven't tried it yet, you're missing out.
Apache License 2.0 — see LICENSE for details.