Claude Code Security Audit Kit

Real CVEs, not hypothetical risks

These are documented vulnerabilities in Claude Code, not theoretical attack patterns:

• CVE-2026-21852 — API key exfiltration via redirected ANTHROPIC_BASE_URL. If settings.json points to a non-Anthropic domain, your key leaves your machine.
• CVE-2025-59536 (CVSS 8.7) — Hooks in .claude/settings.json execute shell commands before the trust dialog renders. Anyone with repo write access can run arbitrary code on your machine when you open the project.
• Bug #30731 (open) — Claude reads process environments and writes raw credential values into terminal output. If ANTHROPIC_API_KEY is in your shell profile, Claude may expose it in session logs.

The audit kit checks for all three, plus prompt injection risks in CLAUDE.md and over-trusted MCP servers.

What's in the kit

What it checks

• .claude/settings.json for bypassPermissions, wildcard Bash rules, and ANTHROPIC_BASE_URL redirects
• .claudeignore for missing .env, certificate, and credential file patterns
• CLAUDE.md for embedded prompt injection patterns
• .mcp.json for external servers and over-trusted stdio transports
• Shell profiles for API keys set as environment variables
• Git history for settings.json changes worth reviewing

Three ways to use it

Shell script (no Claude required):

bash audit-claude-code.sh

Exits 0 if no high-risk issues. Exits 1 if any are found. Runs in CI.

Claude skill:

mkdir -p .claude/skills
cp skills/security-audit.md .claude/skills/

Then: /security-audit in Claude Code. Claude reads your config files and produces a structured report.

Git pre-commit hook:

cp hooks/pre-commit-claude-guard.sh .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit

Blocks commits containing bypassPermissions, wildcard permissions, or credential patterns before they reach the repo.