Skip to content

Backlog: agent-config / MCP / hook auditing (from AgentShield) — plugin-ingest vs kit-native checks #47

Description

@sandstream

Backlog — external-repo assessment of ECC / "Everything Claude Code" under the standing thesis: borrow patterns, not code. Only the relevant part is captured here.

Scoped out: the ECC harness itself

ECC is an agent-harness optimization system (~67 agents, 271 skills, hooks, MCP configs; ~80–100K★, openly controversial). A productivity harness with a huge surface — the opposite of kit's lean, focused, auditable gate. Not kit's category; not adopting.

The relevant signal: AgentShield

Inside ECC sits AgentShield"AI agent security scanner. Detect vulnerabilities in agent configurations, MCP servers, and tool permissions." CLI + GitHub Action + plugin + GitHub App. 102 rules / 1282 tests scanning CLAUDE.md, settings.json, MCP configs, hooks, and agent/skill definitions across 5 categories:

  • secrets detection (14 patterns)
  • permission auditing
  • hook-injection analysis
  • MCP-server risk profiling
  • agent-config review

(It also has an --opus red-team/blue-team/auditor LLM pipeline — out of scope for kit, against the zero-LLM ethos.)

Why this matters for kit

AgentShield scans a surface kit does not cover today. kit gates the dev environment / supply-chain / dependencies. AgentShield gates the agent harness's own config — MCP servers, hooks, settings.json permissions, CLAUDE.md injection. That's a distinct, fast-growing attack surface (prompt injection via MCP, malicious hooks, over-permissioned settings), and the deterministic 102 rules map directly onto kit's zero-LLM rule engine.

This ties together threads already in play: the security-guidance plugin flags hooks/workflow files as risky, and kit's triage gate exists for untriaged MCP/tool additions. AgentShield is the focused version of exactly that concern.

Two paths (not mutually exclusive)

  1. Ingest as a plugin — like snyk/wiz: run AgentShield, fold findings into kit check. Fastest; fits the "we run your scanners" model.
  2. Borrow the check category — kit-native deterministic checks for the agent-config surface: secrets in settings.json/MCP config, permission audit, hook-injection patterns, MCP-server risk. Zero-LLM, exactly kit's engine. Skip the --opus pipeline.

Net

Concrete, on-brand gap: agent-config / MCP / hook / permission auditing. Decide between plugin-ingest vs kit-native rules. Strongest "actually build something" finding from the research thread (cf. #45, #46).

Sources

🤖 Generated with Claude Code

https://claude.ai/code/session_015ERHw6bVUz39sAuoQZ1iyg

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions