agentshield
AgentShield is a security auditor/scanner for Claude Code agent setups. It scans local Claude configuration directories (e.g., ~/.claude/ and .claude/), detects hardcoded secrets, permission misconfigurations, unsafe hook behaviors, MCP server risks, and prompt/prompt-injection style vulnerabilities, and can output graded reports plus optional auto-fixes for certain issues.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Security scanning tool focused on detecting secrets and risky configurations in local Claude Code setups. TLS/auth scope for any network services is not applicable because the interface is primarily local CLI. The '--opus' mode implies use of an external Anthropic API key, but provided content does not describe how keys are stored/handled, how network calls are authenticated, or how to prevent leaking secrets during scans/outputs.
⚡ Reliability
Best When
You are managing Claude Code configurations (local or repo-based) and want automated static auditing for common secret leakage, tool-permission overreach, unsafe hooks, and risky MCP server setups.
Avoid When
You need authoritative guarantees about runtime behavior, or you want a service/API to integrate into an environment with network-hosted endpoints and managed auth.
Use Cases
- • Pre-flight auditing of local Claude Code agent configurations before deploying them
- • CI checks for agent configuration security using JSON/HTML report outputs
- • Auditing repositories that include .claude/ or MCP configuration templates for risky patterns
- • Generating a baseline/safe configuration with an init command
- • Hardening agent tool permissions and hook pipelines to reduce injection and exfiltration risk
Not For
- • Runtime verification that a particular agent is actually vulnerable while running in production
- • A full replacement for pen testing, cloud IAM reviews, or application-level threat modeling
- • Scanning arbitrary non-Claude agent frameworks (its scope is Claude Code configuration patterns)
Interface
Authentication
README indicates the CLI can run locally (auto-discovery and scanning). The optional '--opus' analysis requires ANTHROPIC_API_KEY, implying an external API key for the analysis mode rather than authentication to AgentShield itself.
Pricing
No pricing details are provided in the supplied README/manifest content.
Agent Metadata
Known Gotchas
- ⚠ Auto-discovery and template scoring may produce findings that are not active runtime exposure; interpret runtimeConfidence fields accordingly.
- ⚠ Auto-fix changes may require review; while described as 'safe issues', behavior is only partially constrained by the tool's rule set.
- ⚠ Opus/LLM-based modes depend on external API keys and may introduce non-determinism versus purely static scanning.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for agentshield.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.