Skip to content

yoavTaieb/claude-recon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 
claude-recon.sh
claude-recon.sh
 
 

Repository files navigation

claude-recon

  ____ _                 _        ____
 / ___| | __ _ _   _  __| | ___  |  _ \ ___  ___ ___  _ __
| |   | |/ _` | | | |/ _` |/ _ \ | |_) / _ \/ __/ _ \| '_ \
| |___| | (_| | |_| | (_| |  __/ |  _ <  __/ (_| (_) | | | |
 \____|_|\__,_|\__,_|\__,_|\___|  |_| \_\___|\___\___/|_| |_|
  // Security reconnaissance for Claude Desktop & Claude Code

Read-only security reconnaissance for Claude Desktop and Claude Code on macOS.

Inspect your Claude installation in seconds — MCP servers, plugins, extensions, scheduled tasks, cowork settings, and more — without modifying a single file.

Gemini_Generated_Image_43vwzq43vwzq43vw

🔍 Features

Area What it checks
Desktop Settings keepAwakeEnabled, menuBarEnabled, sidebar mode, keyboard shortcuts
Cowork Settings Scheduled tasks, web search, browser access, network mode, egress domains
MCP Servers All configured servers, commands, arguments, env-var keys (secrets masked)
Plugins Installed, remote (org-deployed), and cached plugins with version, scope & source
Connectors Web-authenticated, desktop, and disconnected service connectors
Skills User-created skills and skills bundled with plugins
Scheduled Tasks Active cron-style tasks with schedule, status, and associated skill
Extensions (DXT) Installed extensions, signature status, and any dangerous tool declarations
Security Findings CRITICAL / WARN / REVIEW findings with context
Recommendations Actionable summary of items requiring attention

All credential-like strings in MCP args (API keys, tokens, passwords, etc.) are automatically masked as [MASKED].

📋 Requirements

  • macOS (required — reads macOS-specific config paths)
  • zsh (pre-installed on macOS)
  • jq — install with:
brew install jq

📦 Installation

No install needed. Just download the script and make it executable:

# Clone or download
git clone https://github.com/yourname/claude-recon.git
cd claude-recon

# Make executable (one-time)
chmod +x claude-recon.sh

🚀 Usage

./claude-recon.sh [options]

Options

Flag Description
(none) Print a colour-coded ASCII report to the terminal
--user USER Scan a specific macOS user instead of the current one
--all-users Scan every user with a Claude installation (requires root)
--html Save an HTML report (auto-named claude_recon_<user>_<timestamp>.html)
--html FILE Save the HTML report to a specific file
--json Print a machine-readable JSON report
--version Print the tool version
-h / --help Show help

💡 Examples

# Quick terminal scan (current user)
./claude-recon.sh

# Save a self-contained HTML report
./claude-recon.sh --html

# Save HTML to a specific path
./claude-recon.sh --html ~/Desktop/my-claude-report.html

# JSON output (pipe-friendly)
./claude-recon.sh --json

# JSON output, piped to jq
./claude-recon.sh --json | jq '.findings'

# Scan another user
./claude-recon.sh --user alice

# Scan all users on a shared machine (run as root)
sudo ./claude-recon.sh --all-users

🖥️ Sample Output

  ____ _                 _        ____
 / ___| | __ _ _   _  __| | ___  |  _ \ ___  ___ ___  _ __
| |   | |/ _` | | | |/ _` |/ _ \ | |_) / _ \/ __/ _ \| '_ \
| |___| | (_| | |_| | (_| |  __/ |  _ <  __/ (_| (_) | | | |
 \____|_|\__,_|\__,_|\__,_|\___|  |_| \_\___|\___\___/|_| |_|
  // Security reconnaissance for Claude Desktop & Claude Code

╔══════════════════════════════════════════════════════════════════╗
║              Wed Mar 26 2026, 11:42:03                           ║
║              Host: macbook.local | User: alice                   ║
╚══════════════════════════════════════════════════════════════════╝

─── OVERVIEW ──────────────────────────────────────────────────────
  Scheduled tasks: 2  |  MCP servers: 3  |  Extensions: 1
  Plugins: 1 installed, 1 remote, 0 cached  |  Connectors: 2 web, 1 not connected
  Skills: 4  |  Findings: 2 warnings, 1 items to review

─── COWORK SETTINGS ───────────────────────────────────────────────
  scheduledTasksEnabled:         ON   ⚠ Autonomous task execution
  webSearchEnabled:              ON   ⚠ Autonomous internet access

─── MCP SERVERS ───────────────────────────────────────────────────
┌────────────────────────────┬────────────────────────────────┬──────────────────┬──────────────────┐
│ Server Name                │ Command                        │ Args             │ Env Vars         │
├────────────────────────────┼────────────────────────────────┼──────────────────┼──────────────────┤
│ filesystem                 │ npx                            │ -y @mcp/fs       │ -                │
│ github                     │ npx                            │ -y @mcp/github   │ GITHUB_TOKEN     │
└────────────────────────────┴────────────────────────────────┴──────────────────┴──────────────────┘

─── SECURITY FINDINGS ─────────────────────────────────────────────
  [WARN] Unsigned extension: my-local-ext

─── RECOMMENDATIONS ───────────────────────────────────────────────
  1. Scheduled tasks are active — review task list above
  2. Remote plugins: analytics-helper

The HTML report (--html) renders the same information in a dark-themed, print-friendly page.

🚨 Finding severity levels

Every finding in the Security Findings section carries one of five severity labels:

Level Meaning
🔴 CRITICAL Serious misconfiguration or security risk requiring immediate attention
🟡 WARN Elevated-risk setting that is active and worth reviewing (e.g. scheduled tasks enabled, unsigned extensions)
🟠 REVIEW Noteworthy item that isn't necessarily dangerous but deserves a manual check (e.g. remotely-deployed plugins)
🔵 INFO Informational — no action needed, context only
🟢 OK / PASS Explicitly verified as safe or correctly configured

In terminal output, levels are colour-coded: CRITICAL in red, WARN / REVIEW in yellow/orange, INFO in cyan, and OK in green. In the HTML report, each level renders as a colour-coded badge.

📂 What gets scanned

claude-recon reads the following locations on disk (no network calls, no writes):

Product Config paths
Claude Desktop ~/Library/Application Support/Claude/
Claude Code ~/.claude/

Specifically:

  • claude_desktop_config.json — MCP servers, preferences
  • config.json — network mode, extension allowlists
  • extensions-installations.json — DXT extensions
  • local-agent-mode-sessions/ — plugins, connectors, skills, cowork settings, scheduled tasks

🔒 Security notes

  • Read-only — the script never writes, moves, or deletes files.
  • No network — all data is sourced from local config files only.
  • Secret masking — API keys, tokens, and passwords in MCP server arguments are detected by pattern and replaced with [MASKED] before display.
  • Local execution — run only on machines you own or administer.

License

MIT

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

5 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages