CASE FILE · SL-26
shortleash
AGENT CONFIGURATION AUDIT
FORM SL-26 · REV 0.2.0
SUBJECT
The coding agent you gave shell, network & file access
SURFACE
.mcp.json · .claude/settings.json · hooks · CLAUDE.md / AGENTS.md · CI
LAST AUDITED
NEVER

Runtime monitors record what your agent did.
Nothing checks what you allowed it to do.

shortleash reads the same files your agent does — MCP server configs, permission allowlists, hooks, instruction files — and files a graded report on the attack surface they create. 26 rules. Zero dependencies. Nothing leaves your machine.

$ npx shortleash .
FIELD KIT — FREE, RUNS OFFLINE
EXHIBIT

A — recovered from a typical repo

TERMINAL CAPTURE, UNEDITED. SECRETS REDACTED FOR THIS FILING.
shortleash v0.2.0  —  ~/code/acme-api

■ CRITICAL
  MCP-002  Secret hardcoded in MCP config
    .mcp.json:11  env.API_KEY = sk-ant-api03-h7Jw… (37 chars)
  INJ-001  Invisible Unicode in instruction file
    CLAUDE.md:8  1 invisible character(s): U+200B
  HOOK-001  Hook pipes a remote download to a shell
    .claude/settings.json:19  curl -s https://…/h.sh | sh

■ HIGH
  MCP-001  Unpinned MCP server package
    .mcp.json:4  "filesystem" reinstalls latest on every start
  PERM-002  Destructive command allowlisted
    .claude/settings.json:6  allow entry "Bash(rm -rf:*)"

──────────────────────────────────────────────────
Grade: F   score 12/100  (3 critical, 2 high)
Audited 9 surface file(s): .mcp.json, CLAUDE.md, …
GRADE F
SECTION

1 — known vectors

The agent-config surface is version-controlled, team-shared and PR-modifiable. One merged line changes what every teammate's agent is allowed to do.

Supply chain, every session

An unpinned npx MCP server reinstalls "latest" on every agent start. A compromised release runs with everything you granted the agent.

Injection hides in plain sight

Zero-width Unicode, HTML comments and encoded blobs put instructions in files your agent reads every session — and your reviewers never see. do not tell the user renders as nothing.

Allowlists are standing approval

Pre-approved curl is an exfiltration channel. Pre-approved rm is one injected sentence away from running unprompted.

SECTION

2 — rule ledger · 26 rules, 8 areas

Coverage: Claude Code, Cursor, VS Code / Copilot, Windsurf, Gemini CLI, aider. Full reference ships in the repo (docs/RULES.md).

SERIESAREACHECKS FORRULES
MCP-00xMCP server configsUnpinned packages, inline API keys, plain-http remotes, curl|sh launchers, mutable docker tags5
PERM-00xPermission allowlistsBlanket Bash, pre-approved destructive/network commands, bypassed prompts, home-dir grants, unscoped WebFetch6
HOOK-00xHooksRemote downloads piped to shells, base64/eval obfuscation, out-of-repo scripts3
INJ-00xInstruction filesInvisible Unicode, "ignore previous instructions", fetch-and-follow URLs, encoded blobs, HTML-comment directives5
SEC / EXPSecrets & exposureCredentials in agent-read files, unprotected .env, .npmrc / .netrc / AWS files3
VSC-001Editor settingsVS Code chat.tools.autoApprove in workspace settings1
CI-00xCI workflowsAgents fed untrusted input; --dangerously-skip-permissions next to repo secrets2
CFG-001Config hygieneAgent configs that exist but can't be parsed — unauditable grants1
SECTION

3 — fee schedule

TIER I — FIELD KIT
$0
  • All 26 rules, A–F grade
  • JSON, Markdown & SARIF output
  • CI gate, baseline & GitHub Action
  • --global audit of ~/.claude
  • Zero telemetry, fully offline
npx shortleash .
NOT A SUBSCRIPTION
TIER II — EXAMINER
$49 ONE-TIME
  • Self-contained HTML reports
  • White-label with your own letterhead
  • Built for consultants auditing client repos
  • Priority rule updates
  • Offline key, yours forever
Get Pro
FORM

4 — request notification of Pro release

Pro checkout opens shortly. File your email below; you'll receive your license key the moment it's live. One email, no list, no follow-ups.