// the find
affaan-m/agentshield
AI agent security scanner. Detect vulnerabilities in agent configurations, MCP servers, and tool permissions. Available as CLI, GitHub Action, ECC plugin, and GitHub App integration. 🛡️
AgentShield is a static security scanner for Claude Code configurations — it reads your ~/.claude/ directory and flags hardcoded secrets, wildcard tool permissions, dangerous hook patterns, and risky MCP server definitions across 102 rules. Built at a hackathon in Feb 2026, it targets the real gap between how fast developers wire up MCP servers and skills versus how carefully they audit what those configurations actually permit. Aimed at teams running Claude Code in CI or shared environments where a misconfigured hook is a lateral movement vector.
The runtimeConfidence tier system (active-runtime → template-example → plugin-cache etc.) is genuinely useful engineering — most static config scanners would just flag everything equally and get disabled after one noisy run. The score-weighting discounts (0.25x for template-example findings, capped at 10 points per file) mean a repo with a large MCP catalog doesn't automatically tank to grade F. The hook analysis rules are concrete and specific: ${file} interpolation in curl commands, silent-fail patterns like 2>/dev/null || true, and reverse shell signatures are exactly the things that slip past manual review. The three-agent Opus pipeline (red team + blue team + auditor running in parallel) is a reasonable approach to adversarial analysis — having an attacker find the exploit chain and a defender evaluate existing controls before the auditor synthesizes them produces more actionable output than a single LLM pass.
The npm package root exports the CLI entrypoint, not a stable scanner library — their own docs say 'do not import scanner internals as supported paths,' which means programmatic integration requires piping JSON output through a subprocess. That's workable but it's a real integration tax for anyone wanting to embed this in a custom pipeline. The false-positive documentation (false-positive-audit.md, the taxonomy, the triage rules) is extensive enough to be its own project, which suggests the scanner still generates enough noise that users need a manual triage workflow; a scanner that requires reading a companion audit doc to interpret results correctly will get disabled in CI. The --sandbox flag promises to execute hooks and observe behavior but real hook sandboxing without a proper container boundary is security theater — shell hooks that check for sandbox indicators or use indirect execution will trivially bypass it. There's also no cost estimate or token budget for --opus: three parallel Opus calls on a large config with verbose reasoning could easily run $5-10 per scan, and there's no warning before it starts.