config-security-scan

# Config Security Scan Scan your `.claude/` directory and related configuration files for security issues. Inspired by AgentShield pattern - checks CLAUDE.md, settings.json, MCP configs, hooks, and agent definitions for misconfigurations, exposed secrets, and unsafe permissions. ## Usage ``` /config-security-scan [path] ``` Default path: `.claude/` in current project. ## What It Checks ### 1. Secrets Detection (CRITICAL) ``` - API keys, tokens, passwords in CLAUDE.md - Hardcoded credentials in hook scripts - Secrets in MCP server configs - Bearer tokens in agent definitions - .env files committed to git ``` ### 2. Permission Escalation (HIGH) ``` - dangerouslySkipPermissions in settings.json - Overly broad tool permissions (all tools for simple agents) - MCP servers with filesystem write access - Hooks with shell execution and no validation - Agents with Bash tool that don't need it ``` ### 3. MCP Server Security (HIGH) ``` - Unknown/untrusted MCP servers - MCP servers with network access + filesystem access - Missing authentication on MCP endpoints - MCP servers running as root/admin - Unverified npm packages in MCP configs ``` ### 4. Hook Security (MEDIUM) ``` - Hooks that execute user input - Hooks without error handling - Hooks that modify git config - Hooks that access external networks - Hooks with hardcoded paths ``` ### 5. Agent Definition Security (MEDIUM) ``` - Agents with unnecessary tools - Agents with system-level Bash access - Agent descriptions that c...