Do I need a specific API key to run this?

Standard scans run locally without a key. However, the deep analysis 'Opus' mode requires an Anthropic API key to run its adversarial multi-agent pipeline.

Can it automatically fix security issues?

Yes, it includes an auto-fix flag that can replace hardcoded secrets with environment variable references and tighten wildcard permissions to scoped alternatives.

What files does this security scan analyze?

It checks everything in your .claude/ directory, including CLAUDE.md, settings.json, mcp.json, custom hooks, and agent definitions.

Is it suitable for CI/CD pipelines?

Absolutely. It supports JSON output for automation and provides a dedicated GitHub Action to fail builds if vulnerabilities are detected.

Security Scan for Claude Code

Name: Security Scan for Claude Code
Author: lev-os

bylev-os

•

Seguridad y Pruebas

Audits Claude Code configurations and MCP servers for security vulnerabilities, misconfigurations, and injection risks using AgentShield.

The Security Scan skill empowers developers to audit their Claude Code environments by identifying critical security flaws in configuration files, agent definitions, and Model Context Protocol (MCP) servers. By integrating the AgentShield framework, it detects hardcoded secrets, dangerous permission levels, and potential command injection patterns across .claude/ directories. This skill is essential for maintaining a secure AI development workflow, offering both rapid automated scans and deep adversarial analysis to ensure that agents operate within safe, restricted boundaries.

Características Principales

01Provides automated 'safe fixes' to replace secrets with environment variables and tighten permissions.

022 GitHub stars

03Scans Model Context Protocol (MCP) servers for supply chain risks and risky tool access.

04Features a deep-analysis mode using an adversarial Red Team/Blue Team pipeline for thorough auditing.

05Identifies overly permissive settings and dangerous 'auto-run' instructions in CLAUDE.md.

06Detects hardcoded secrets and API keys in configuration files and MCP environments.

Casos de Uso

01Implementing security gates in CI/CD pipelines to prevent committing insecure AI configurations.

02Auditing third-party MCP servers and custom hooks for data exfiltration or injection risks.

03Hardening a new Claude Code project configuration before first-time agent execution.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add lev-os/agents security-scan-agentshield

For use in Claude.ai and ChatGPT

Características Principales

01Provides automated 'safe fixes' to replace secrets with environment variables and tighten permissions.

022 GitHub stars

03Scans Model Context Protocol (MCP) servers for supply chain risks and risky tool access.

04Features a deep-analysis mode using an adversarial Red Team/Blue Team pipeline for thorough auditing.

05Identifies overly permissive settings and dangerous 'auto-run' instructions in CLAUDE.md.

06Detects hardcoded secrets and API keys in configuration files and MCP environments.

Casos de Uso

01Implementing security gates in CI/CD pipelines to prevent committing insecure AI configurations.

02Auditing third-party MCP servers and custom hooks for data exfiltration or injection risks.

03Hardening a new Claude Code project configuration before first-time agent execution.