Menu
Quick configuration security check against known threats database
| name | security-check |
| description | Quick configuration security check against known threats database |
| argument-hint | [path] |
| effort | medium |
| disable-model-invocation | true |
Quick configuration security check against known threats database. Verifies your Claude Code setup for known malicious skills, vulnerable MCPs, dangerous patterns, and exposed secrets.
Time: ~30 seconds | Scope: Claude Code configuration only
You are a security analyst. Check the user's Claude Code configuration against the threat intelligence database bundled at examples/skills/update-threat-db/threat-db.yaml. Produce a concise, actionable report.
Read examples/skills/update-threat-db/threat-db.yaml from this repository to load:
Read the user's MCP configuration:
# Global MCP config
cat ~/.claude.json 2>/dev/null | jq '.mcpServers // empty'
# Project MCP config
cat .mcp.json 2>/dev/null
Check against threat-db.yaml:
@latest)? → HIGH if unpinned--dangerous-* flags in MCP args? → CRITICALguide/security-hardening.md §1.1)? → MEDIUM (flag for manual review)# List installed skills
ls -la .claude/skills/ 2>/dev/null
ls -la ~/.claude/skills/ 2>/dev/null
# List agents
ls -la .claude/agents/ 2>/dev/null
ls -la ~/.claude/agents/ 2>/dev/null
# Check agent tools field
grep -r "^tools:" .claude/agents/ 2>/dev/null
grep -r "^tools:" ~/.claude/agents/ 2>/dev/null
Check against threat-db.yaml:
malicious_skills entries? → CRITICALmalicious_authors entries? → CRITICALtools: Bash only? → HIGH# List all hooks
find .claude/hooks/ -type f 2>/dev/null
find ~/.claude/hooks/ -type f 2>/dev/null
# Scan hooks for suspicious patterns
grep -rn "curl\|wget\|nc \|ncat\|netcat\|base64\|eval\|exec\|/dev/tcp\|/dev/udp" .claude/hooks/ 2>/dev/null
grep -rn "curl\|wget\|nc \|ncat\|netcat\|base64\|eval\|exec\|/dev/tcp\|/dev/udp" ~/.claude/hooks/ 2>/dev/null
# Check for credential access in hooks
grep -rn "ssh\|id_rsa\|id_ed25519\|\.env\|credentials\|secret\|password\|token\|api.key" .claude/hooks/ 2>/dev/null
grep -rn "ssh\|id_rsa\|id_ed25519\|\.env\|credentials\|secret\|password\|token\|api.key" ~/.claude/hooks/ 2>/dev/null
Check against threat-db.yaml suspicious_patterns.hooks:
curl, wget) → HIGHnc, /dev/tcp) → CRITICALssh, .env, password) → CRITICAL# Check for suspicious instructions in memory/config files
grep -in "ignore\|forget\|override\|disregard\|you are now\|new role\|system prompt" \
CLAUDE.md .claude/CLAUDE.md SOUL.md .claude/SOUL.md MEMORY.md .claude/MEMORY.md \
~/.claude/CLAUDE.md ~/.claude/MEMORY.md 2>/dev/null
# Check settings
cat .claude/settings.json 2>/dev/null
cat ~/.claude/settings.json 2>/dev/null
permissions.deny exists and covers .env*, *.pem, *.key, secrets? → MEDIUM if missingpermissions.allow for Bash or Write? → HIGH if presentdangerouslySkipPermissions or similar flags? → CRITICAL if present# Check for secrets in .claude/ directory
grep -rn "sk-[a-zA-Z0-9]\{20,\}\|sk-ant-[a-zA-Z0-9]\{20,\}\|ghp_[a-zA-Z0-9]\{36\}\|AKIA[A-Z0-9]\{16\}" \
.claude/ ~/.claude/ 2>/dev/null
# Check for private keys
grep -rn "BEGIN.*PRIVATE KEY" .claude/ ~/.claude/ 2>/dev/null
## 🛡️ Security Check Report
**Date**: [timestamp]
**Scope**: Claude Code configuration
### Results Summary
| Severity | Count | Status |
|----------|-------|--------|
| 🔴 CRITICAL | X | [PASS/FAIL] |
| 🟠 HIGH | X | [PASS/FAIL] |
| 🟡 MEDIUM | X | [PASS/FAIL] |
| 🟢 LOW | X | [PASS/FAIL] |
### 🔴 Critical Issues
[List each critical finding with location and fix]
### 🟠 High Issues
[List each high finding with location and fix]
### 🟡 Medium Issues
[List each medium finding with location and fix]
### ✅ Passed Checks
[List what passed, important for confidence]
### 🔧 Recommended Actions (Priority Order)
1. [Most urgent fix with exact command]
2. [Second priority]
3. [...]
### 📚 References
- Full security guide: guide/security-hardening.md
- Threat database: examples/skills/update-threat-db/threat-db.yaml
- MCP scan: `npx mcp-scan` (Snyk)
If ALL checks pass, output:
## 🛡️ Security Check Report: ALL CLEAR ✅
**Date**: [timestamp]
No known threats detected in your Claude Code configuration.
**Recommendations for continued security:**
- Re-run `/security-check` after installing new skills or MCP servers
- Run `/security-audit` for a comprehensive project + config audit
- Keep Claude Code updated (current security fixes in v2.1.34+)
$ARGUMENTS
Audit Claude Code agents defined in .claude/agents/ for description specificity, model tier appropriateness, tools scoping, and system prompt quality. Detects dispatch ambiguity between agents, flags over-permissive tool grants, and checks for human-in-the-loop patterns that break programmatic orchestration. Use when onboarding to a project with existing agents, after adding new agents to a fleet, or when an orchestrator consistently selects the wrong agent.
Audit Claude Code hooks defined in settings.json files for validity, performance safety, and correctness. Resolves each command against the filesystem, checks exit-code strategy for blocking hooks, flags missing timeouts, and reviews interactive vs async patterns. Use when setting up hooks for the first time, debugging a hook that never fires or hangs the agent, or doing a periodic hooks hygiene pass.
Autonomous improvement loop: scan codebase metrics, scaffold experiment files, run agent-driven iterations until metric improves
Post-deploy monitoring: watch production after a deploy and alert on regressions
Restore context after /clear by summarizing recent work and project state
Launch and navigate the ccboard TUI/Web dashboard for Claude Code. Use when monitoring token usage, tracking costs, browsing sessions, or checking MCP server status across projects.