Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

edimuj/vexscan-claude-code

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.claude-plugin
.claude-plugin
 
 
plugin
plugin
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Vexscan Mascot

Vexscan for Claude Code

Don't let malicious plugins hijack your AI sessions.
Security scanner that protects Claude Code from untrusted plugins, skills, MCPs, and hooks.

License Release

Why?

Claude Code's plugin ecosystem is powerful — but with great power comes great risk. A malicious plugin can:

  • Steal credentials from your environment (API keys, SSH keys, cloud tokens)
  • Exfiltrate data to external servers via webhooks
  • Inject prompts that override your instructions
  • Execute arbitrary code on your machine

Vexscan scans plugins before they can do damage, using pattern detection and AI-powered analysis to separate real threats from false positives.

Quick Start

# Add the marketplace
claude plugin marketplace add edimuj/vexscan-claude-code

# Install the plugin
claude plugin install vexscan@vexscan-claude-code

That's it. Vexscan now scans your plugins automatically on every session start. AI analysis runs through your existing Claude Code subscription — no extra API keys or costs.

What You'll See

On session start, Vexscan runs in the background and alerts you if it finds anything:

SECURITY ALERT: Found 2 critical, 5 high, 3 medium issue(s) in plugins/skills.
Run /vexscan:scan for AI-powered analysis.

Commands

Command Description
/vexscan:scan Scan all plugins with AI-powered analysis
/vexscan:scan <path> Scan a specific directory
/vexscan:vet <url> Vet a plugin before installing

Example: Vetting Before Install

/vexscan:vet https://github.com/someone/cool-plugin

Get a verdict (SAFE / CAUTION / RISKY / DANGEROUS) before you install anything.

Detection Coverage

Category What It Catches
Code Execution eval(), new Function(), exec()
Shell Injection child_process, subprocess calls, command injection
Data Exfiltration Discord webhooks, external POST requests, fetch to unknown hosts
Credential Theft SSH keys, AWS credentials, .env files, API tokens
Prompt Injection System prompt overrides, instruction hijacking
Obfuscation Base64/hex/unicode encoding to hide malicious code

How It Works

  1. SessionStart hook triggers automatic scan of ~/.claude
  2. Vexscan CLI (Rust) performs fast static analysis + AST parsing
  3. Smart filtering skips official Anthropic plugins and node_modules
  4. AI analysis uses your existing Claude Code subscription to review findings — no extra API keys needed

Manual Installation

git clone https://github.com/edimuj/vexscan-claude-code.git ~/.claude/plugins/vexscan

The Vexscan CLI auto-installs on first use. To install manually:

curl -fsSL https://raw.githubusercontent.com/edimuj/vexscan/main/install.sh | bash

Related

License

Apache 2.0

About

Security scanner plugin for Claude Code - protects against malicious plugins, skills, MCPs, and hooks

Topics

security-tools claude ai-security-tool claude-code claude-code-plugin claude-code-skill

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.2.0 Latest
Feb 3, 2026

Contributors

Languages