melodic-software/audit-settings
plugins/claude-ecosystem/skills/audit-settings/SKILL.md
Audit Claude Code settings.json files for quality, compliance, and security. Use to validate configuration before deployment or check for exposed secrets.
$ install --global
skillsauthnpx skillsauth add melodic-software/claude-code-plugins audit-settingsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 7, 2026, 8:33 AM33.2s1 file scanned
SKILL.md
- name:
- audit-settings
- description:
- Audit Claude Code settings.json files for quality, compliance, and security. Use to validate configuration before deployment or check for exposed secrets.
- argument-hint:
- [project | user | all] [--force | --skip-validation]
- allowed-tools:
- Read, Bash, Glob, Grep, Task
- model:
- opus
Audit Settings Command
Audit Claude Code settings.json files for quality, compliance, and security.
Initialization
Before auditing, initialize the environment:
Get the current UTC date, capture the project root path, ensure the temp directory exists, and clean up stale audit files. The settings-management skill provides authoritative validation guidance (auto-loaded when this command runs).
What Gets Audited
- JSON syntax validity
- Schema compliance (valid settings options)
- Permission rules configuration
- Sandbox settings
- Environment variable configuration
- Security (no exposed secrets)
Command Arguments
| Argument | Description |
| --- | --- |
| (none) | Audit all discoverable settings files |
| project | Only audit .claude/settings.json |
| user | Only audit ~/.claude/settings.json |
| all | Audit all scopes explicitly |
| --force | Audit regardless of modification status |
| --skip-validation | Skip finding validation (faster, but may include false positives) |
Step 1: Discover Settings Files
Check project settings (.claude/settings.json), user settings (~/.claude/settings.json on Unix, %USERPROFILE%\.claude\settings.json on Windows), and plugin settings in marketplace repos.
Step 2: Parse Arguments
Parse scope selector and --force flag. Filter files to match requested scope.
Step 3: Present Audit Plan
Display mode, files discovered, and list with scope and last modified date.
Step 4: Execute Audits
For each file, spawn the settings-auditor subagent with scope, path, and last audit date. Run in parallel when multiple exist.
Subagents write findings to .claude/temp/. The main conversation thread collects results and updates audit logs using its Write/Edit tools.
Step 4.5: Validate Findings
Unless --skip-validation flag is present:
- Spawn the
audit-finding-validatoragent with:project_root: The captured project root pathaudit_type: "settings"audit_files: List of.claude/temp/audit-*-settings-*.jsonfile paths
- Wait for validation to complete
- Read updated JSON files with validation results
- Filter out FALSE_POSITIVE findings completely before aggregation
- Note: Filtered findings are logged to
.claude/temp/audit-filtered-findings.json
If --skip-validation flag is present:
- Skip validation phase entirely (current speed preserved)
- Present all findings without filtering
- Note in summary: "Validation: Skipped"
Step 5: Final Summary
Report total audited by scope, results, and details table. List security alerts with remediation.
Include validation statistics (if validation was performed):
- Validation performed: Yes/No
- Findings validated: X
- False positives filtered: Y
- Verified findings: Z
- Unverified findings: W
Security Considerations
| Scope | Credentials Found | Result | | --- | --- | --- | | Project | Yes | CRITICAL - version controlled | | User | Yes | WARNING - not version controlled |
Project settings should NEVER contain API keys or tokens (version controlled).
Cross-Platform Paths
| Platform | User Settings |
| --- | --- |
| Unix | ~/.claude/settings.json |
| Windows | %USERPROFILE%\.claude\settings.json |
Audit Log Location
All audit results are written to .claude/audit/settings.md.
Use /audit-log settings to view current audit status.
Example Usage
Example 1: Audit All Settings Files
User: /audit-settings
Claude: Discovering settings files...
## Audit Plan
**Mode**: SMART
**Files discovered**: 2
1. [project] .claude/settings.json
2. [user] ~/.claude/settings.json
[Spawns settings-auditor subagents]
## Audit Complete
| Scope | File | Result | Score |
| --- | --- | --- | --- |
| project | .claude/settings.json | PASS | 100/100 |
| user | ~/.claude/settings.json | PASS | 98/100 |
Example 2: Audit Project Only
User: /audit-settings project
Claude: Auditing project settings...
Related Skills
melodic-software/milan-jovanovic-blog
development
VerifiedTrustedCommunity
Search Milan Jovanovic's .NET blog for Clean Architecture, DDD, CQRS, EF Core, and ASP.NET Core patterns. Use for finding applicable patterns, code examples, and architecture guidance. Invoke when working with .NET projects that could benefit from proven architectural patterns.
47SKILL.mdUpdated Apr 7, 2026
melodic-software/setup-dab
tools
VerifiedTrustedCommunity
Install and configure Data API Builder (DAB) for production SQL Server MCP access with RBAC
47SKILL.mdUpdated Apr 7, 2026
melodic-software/mssql
tools
VerifiedTrustedCommunity
Manage MssqlMcp servers - status, rebuild, and upstream updates
47SKILL.mdUpdated Apr 7, 2026
melodic-software/onboarding
tools
VerifiedTrustedCommunity
Developer environment setup guides for Windows, macOS, Linux, and WSL. Use when setting up development machines, installing tools, configuring environments, or following platform-specific setup guides. Covers package management, shell/terminal, code editors, AI tooling, containerization, databases, and more.
47SKILL.mdUpdated Apr 7, 2026