security-scan
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSecurity Scan Skill
安全扫描Skill
Audit your Claude Code configuration for security issues using AgentShield.
使用AgentShield审计你的Claude Code配置,排查安全问题。
When to Activate
激活时机
- Setting up a new Claude Code project
- After modifying ,
.claude/settings.json, or MCP configsCLAUDE.md - Before committing configuration changes
- When onboarding to a new repository with existing Claude Code configs
- Periodic security hygiene checks
- 搭建新的Claude Code项目时
- 修改、
.claude/settings.json或MCP配置后CLAUDE.md - 提交配置变更前
- 加入包含现有Claude Code配置的新代码库时
- 定期进行安全卫生检查时
What It Scans
扫描范围
| File | Checks |
|---|---|
| Hardcoded secrets, auto-run instructions, prompt injection patterns |
| Overly permissive allow lists, missing deny lists, dangerous bypass flags |
| Risky MCP servers, hardcoded env secrets, npx supply chain risks |
| Command injection via interpolation, data exfiltration, silent error suppression |
| Unrestricted tool access, prompt injection surface, missing model specs |
| 文件 | 检查内容 |
|---|---|
| 硬编码密钥、自动运行指令、提示注入模式 |
| 过于宽松的允许列表、缺失的拒绝列表、危险的绕过标志 |
| 高风险MCP服务器、硬编码环境变量密钥、npx供应链风险 |
| 通过插值进行命令注入、数据泄露、静默错误抑制 |
| 无限制的工具访问权限、提示注入风险面、缺失的模型规格 |
Prerequisites
前置条件
AgentShield must be installed. Check and install if needed:
bash
undefined必须安装AgentShield。如有需要,请检查并安装:
bash
undefinedCheck if installed
Check if installed
npx ecc-agentshield --version
npx ecc-agentshield --version
Install globally (recommended)
Install globally (recommended)
npm install -g ecc-agentshield
npm install -g ecc-agentshield
Or run directly via npx (no install needed)
Or run directly via npx (no install needed)
npx ecc-agentshield scan .
undefinednpx ecc-agentshield scan .
undefinedUsage
使用方法
Basic Scan
基础扫描
Run against the current project's directory:
.claude/bash
undefined针对当前项目的目录运行:
.claude/bash
undefinedScan current project
Scan current project
npx ecc-agentshield scan
npx ecc-agentshield scan
Scan a specific path
Scan a specific path
npx ecc-agentshield scan --path /path/to/.claude
npx ecc-agentshield scan --path /path/to/.claude
Scan with minimum severity filter
Scan with minimum severity filter
npx ecc-agentshield scan --min-severity medium
undefinednpx ecc-agentshield scan --min-severity medium
undefinedOutput Formats
输出格式
bash
undefinedbash
undefinedTerminal output (default) — colored report with grade
Terminal output (default) — colored report with grade
npx ecc-agentshield scan
npx ecc-agentshield scan
JSON — for CI/CD integration
JSON — for CI/CD integration
npx ecc-agentshield scan --format json
npx ecc-agentshield scan --format json
Markdown — for documentation
Markdown — for documentation
npx ecc-agentshield scan --format markdown
npx ecc-agentshield scan --format markdown
HTML — self-contained dark-theme report
HTML — self-contained dark-theme report
npx ecc-agentshield scan --format html > security-report.html
undefinednpx ecc-agentshield scan --format html > security-report.html
undefinedAuto-Fix
自动修复
Apply safe fixes automatically (only fixes marked as auto-fixable):
bash
npx ecc-agentshield scan --fixThis will:
- Replace hardcoded secrets with environment variable references
- Tighten wildcard permissions to scoped alternatives
- Never modify manual-only suggestions
自动应用安全修复(仅修复标记为可自动修复的问题):
bash
npx ecc-agentshield scan --fix这将:
- 将硬编码密钥替换为环境变量引用
- 将通配符权限收紧为限定范围的替代方案
- 绝不会修改仅建议手动处理的内容
Opus 4.6 Deep Analysis
Opus 4.6深度分析
Run the adversarial three-agent pipeline for deeper analysis:
bash
undefined运行对抗性三Agent管道进行深度分析:
bash
undefinedRequires ANTHROPIC_API_KEY
Requires ANTHROPIC_API_KEY
export ANTHROPIC_API_KEY=your-key
npx ecc-agentshield scan --opus --stream
This runs:
1. **Attacker (Red Team)** — finds attack vectors
2. **Defender (Blue Team)** — recommends hardening
3. **Auditor (Final Verdict)** — synthesizes both perspectivesexport ANTHROPIC_API_KEY=your-key
npx ecc-agentshield scan --opus --stream
该流程包含:
1. **攻击者(红队)** — 寻找攻击向量
2. **防御者(蓝队)** — 提出加固建议
3. **审计者(最终裁决)** — 综合双方观点Initialize Secure Config
初始化安全配置
Scaffold a new secure configuration from scratch:
.claude/bash
npx ecc-agentshield initCreates:
- with scoped permissions and deny list
settings.json - with security best practices
CLAUDE.md - placeholder
mcp.json
从头搭建新的安全配置:
.claude/bash
npx ecc-agentshield init创建以下内容:
- 包含限定范围权限和拒绝列表的
settings.json - 包含安全最佳实践的
CLAUDE.md - 占位文件
mcp.json
GitHub Action
GitHub Action
Add to your CI pipeline:
yaml
- uses: affaan-m/agentshield@v1
with:
path: '.'
min-severity: 'medium'
fail-on-findings: true添加到你的CI流水线:
yaml
- uses: affaan-m/agentshield@v1
with:
path: '.'
min-severity: 'medium'
fail-on-findings: trueSeverity Levels
严重等级
| Grade | Score | Meaning |
|---|---|---|
| A | 90-100 | Secure configuration |
| B | 75-89 | Minor issues |
| C | 60-74 | Needs attention |
| D | 40-59 | Significant risks |
| F | 0-39 | Critical vulnerabilities |
| 等级 | 分数 | 说明 |
|---|---|---|
| A | 90-100 | 安全配置 |
| B | 75-89 | 轻微问题 |
| C | 60-74 | 需要关注 |
| D | 40-59 | 重大风险 |
| F | 0-39 | 严重漏洞 |
Interpreting Results
结果解读
Critical Findings (fix immediately)
严重问题(立即修复)
- Hardcoded API keys or tokens in config files
- in the allow list (unrestricted shell access)
Bash(*) - Command injection in hooks via interpolation
${file} - Shell-running MCP servers
- 配置文件中硬编码的API密钥或令牌
- 允许列表中的(无限制的Shell访问权限)
Bash(*) - 钩子中通过插值实现的命令注入
${file} - 可运行Shell的MCP服务器
High Findings (fix before production)
高风险问题(上线前修复)
- Auto-run instructions in CLAUDE.md (prompt injection vector)
- Missing deny lists in permissions
- Agents with unnecessary Bash access
- CLAUDE.md中的自动运行指令(提示注入载体)
- 权限配置中缺失拒绝列表
- 拥有不必要Bash访问权限的Agent
Medium Findings (recommended)
中风险问题(建议修复)
- Silent error suppression in hooks (,
2>/dev/null)|| true - Missing PreToolUse security hooks
- auto-install in MCP server configs
npx -y
- 钩子中的静默错误抑制(、
2>/dev/null)|| true - 缺失PreToolUse安全钩子
- MCP服务器配置中的自动安装
npx -y
Info Findings (awareness)
信息类问题(仅作了解)
- Missing descriptions on MCP servers
- Prohibitive instructions correctly flagged as good practice
- MCP服务器缺失描述信息
- 正确标记为最佳实践的禁止性指令