shortleash reads the same files your agent does — MCP server configs, permission allowlists, hooks, instruction files — and files a graded report on the attack surface they create. 26 rules. Zero dependencies. Nothing leaves your machine.
shortleash v0.2.0 — ~/code/acme-api ■ CRITICAL MCP-002 Secret hardcoded in MCP config .mcp.json:11 env.API_KEY = sk-ant-api03-h7Jw… (37 chars) INJ-001 Invisible Unicode in instruction file CLAUDE.md:8 1 invisible character(s): U+200B HOOK-001 Hook pipes a remote download to a shell .claude/settings.json:19 curl -s https://…/h.sh | sh ■ HIGH MCP-001 Unpinned MCP server package .mcp.json:4 "filesystem" reinstalls latest on every start PERM-002 Destructive command allowlisted .claude/settings.json:6 allow entry "Bash(rm -rf:*)" ────────────────────────────────────────────────── Grade: F score 12/100 (3 critical, 2 high) Audited 9 surface file(s): .mcp.json, CLAUDE.md, …
The agent-config surface is version-controlled, team-shared and PR-modifiable. One merged line changes what every teammate's agent is allowed to do.
An unpinned npx MCP server reinstalls "latest" on every agent start. A compromised release runs with everything you granted the agent.
Zero-width Unicode, HTML comments and encoded blobs put instructions in files your agent reads every session — and your reviewers never see. do not tell the user renders as nothing.
Pre-approved curl is an exfiltration channel. Pre-approved rm is one injected sentence away from running unprompted.
Coverage: Claude Code, Cursor, VS Code / Copilot, Windsurf, Gemini CLI, aider. Full reference ships in the repo (docs/RULES.md).
| SERIES | AREA | CHECKS FOR | RULES |
|---|---|---|---|
| MCP-00x | MCP server configs | Unpinned packages, inline API keys, plain-http remotes, curl|sh launchers, mutable docker tags | 5 |
| PERM-00x | Permission allowlists | Blanket Bash, pre-approved destructive/network commands, bypassed prompts, home-dir grants, unscoped WebFetch | 6 |
| HOOK-00x | Hooks | Remote downloads piped to shells, base64/eval obfuscation, out-of-repo scripts | 3 |
| INJ-00x | Instruction files | Invisible Unicode, "ignore previous instructions", fetch-and-follow URLs, encoded blobs, HTML-comment directives | 5 |
| SEC / EXP | Secrets & exposure | Credentials in agent-read files, unprotected .env, .npmrc / .netrc / AWS files | 3 |
| VSC-001 | Editor settings | VS Code chat.tools.autoApprove in workspace settings | 1 |
| CI-00x | CI workflows | Agents fed untrusted input; --dangerously-skip-permissions next to repo secrets | 2 |
| CFG-001 | Config hygiene | Agent configs that exist but can't be parsed — unauditable grants | 1 |
--global audit of ~/.claudePro checkout opens shortly. File your email below; you'll receive your license key the moment it's live. One email, no list, no follow-ups.