Backlog — external-repo assessment of ECC / "Everything Claude Code" under the standing thesis: borrow patterns, not code. Only the relevant part is captured here.
Scoped out: the ECC harness itself
ECC is an agent-harness optimization system (~67 agents, 271 skills, hooks, MCP configs; ~80–100K★, openly controversial). A productivity harness with a huge surface — the opposite of kit's lean, focused, auditable gate. Not kit's category; not adopting.
The relevant signal: AgentShield
Inside ECC sits AgentShield — "AI agent security scanner. Detect vulnerabilities in agent configurations, MCP servers, and tool permissions." CLI + GitHub Action + plugin + GitHub App. 102 rules / 1282 tests scanning CLAUDE.md, settings.json, MCP configs, hooks, and agent/skill definitions across 5 categories:
- secrets detection (14 patterns)
- permission auditing
- hook-injection analysis
- MCP-server risk profiling
- agent-config review
(It also has an --opus red-team/blue-team/auditor LLM pipeline — out of scope for kit, against the zero-LLM ethos.)
Why this matters for kit
AgentShield scans a surface kit does not cover today. kit gates the dev environment / supply-chain / dependencies. AgentShield gates the agent harness's own config — MCP servers, hooks, settings.json permissions, CLAUDE.md injection. That's a distinct, fast-growing attack surface (prompt injection via MCP, malicious hooks, over-permissioned settings), and the deterministic 102 rules map directly onto kit's zero-LLM rule engine.
This ties together threads already in play: the security-guidance plugin flags hooks/workflow files as risky, and kit's triage gate exists for untriaged MCP/tool additions. AgentShield is the focused version of exactly that concern.
Two paths (not mutually exclusive)
- Ingest as a plugin — like
snyk/wiz: run AgentShield, fold findings into kit check. Fastest; fits the "we run your scanners" model.
- Borrow the check category — kit-native deterministic checks for the agent-config surface: secrets in
settings.json/MCP config, permission audit, hook-injection patterns, MCP-server risk. Zero-LLM, exactly kit's engine. Skip the --opus pipeline.
Net
Concrete, on-brand gap: agent-config / MCP / hook / permission auditing. Decide between plugin-ingest vs kit-native rules. Strongest "actually build something" finding from the research thread (cf. #45, #46).
Sources
🤖 Generated with Claude Code
https://claude.ai/code/session_015ERHw6bVUz39sAuoQZ1iyg
Backlog — external-repo assessment of ECC / "Everything Claude Code" under the standing thesis: borrow patterns, not code. Only the relevant part is captured here.
Scoped out: the ECC harness itself
ECC is an agent-harness optimization system (~67 agents, 271 skills, hooks, MCP configs; ~80–100K★, openly controversial). A productivity harness with a huge surface — the opposite of kit's lean, focused, auditable gate. Not kit's category; not adopting.
The relevant signal: AgentShield
Inside ECC sits AgentShield — "AI agent security scanner. Detect vulnerabilities in agent configurations, MCP servers, and tool permissions." CLI + GitHub Action + plugin + GitHub App. 102 rules / 1282 tests scanning
CLAUDE.md,settings.json, MCP configs, hooks, and agent/skill definitions across 5 categories:(It also has an
--opusred-team/blue-team/auditor LLM pipeline — out of scope for kit, against the zero-LLM ethos.)Why this matters for kit
AgentShield scans a surface kit does not cover today. kit gates the dev environment / supply-chain / dependencies. AgentShield gates the agent harness's own config — MCP servers, hooks,
settings.jsonpermissions,CLAUDE.mdinjection. That's a distinct, fast-growing attack surface (prompt injection via MCP, malicious hooks, over-permissioned settings), and the deterministic 102 rules map directly onto kit's zero-LLM rule engine.This ties together threads already in play: the security-guidance plugin flags hooks/workflow files as risky, and kit's triage gate exists for untriaged MCP/tool additions. AgentShield is the focused version of exactly that concern.
Two paths (not mutually exclusive)
snyk/wiz: run AgentShield, fold findings intokit check. Fastest; fits the "we run your scanners" model.settings.json/MCP config, permission audit, hook-injection patterns, MCP-server risk. Zero-LLM, exactly kit's engine. Skip the--opuspipeline.Net
Concrete, on-brand gap: agent-config / MCP / hook / permission auditing. Decide between plugin-ingest vs kit-native rules. Strongest "actually build something" finding from the research thread (cf. #45, #46).
Sources
🤖 Generated with Claude Code
https://claude.ai/code/session_015ERHw6bVUz39sAuoQZ1iyg