cc-audit

cc-audit is a Security auditor designed to examine Claude Code artifacts including MCP servers, skills, hooks, and related configurations before installation. As an MCP server, it provides a wrapper around the auditing workflow to validate MCP definitions and detect potential security issues in the artifacts it processes. The server exposes a standard set of commands via its CLI (served through the cc-audit binary) that can be triggered by the MCP runtime to perform checks, report findings, and emit outputs in formats such as JSON or HTML. To operate the MCP server, install the binary (via cargo, homebrew, or prebuilt releases), then start it with the serve command to enable remote or local MCP validation interactions. The tool can perform strict/severity-filtered scans, watch-mode development scans, and has support for scanning multiple artifact types including MCPs, Docker containers, dependencies, and more through its unified interface.

Prerequisites:

• Rust toolchain (Rust 1.60+ recommended) for building from source or installing via cargo
• Optional: Node.js for npm packaging workflows (if you also plan to use the npm package)
• Access to GitHub for fetching the repository or releases

Installation options:

1. Install via Cargo (recommended from source or binary releases)

   • Ensure Rust is installed: https://rust-lang.org
   • Install the binary: cargo install cc-audit
   • Verify: cc-audit --version

2. Install via Homebrew (macOS/Linux, if available in tap)

   • brew install ryo-ebata/tap/cc-audit
   • Verify: cc-audit --version

3. From Source

   • git clone https://github.com/ryo-ebata/cc-audit.git
   • cd cc-audit
   • cargo install --path .
   • Verify: cc-audit --version

4. npm packaging (optional)

   • npm install -g @cc-audit/cc-audit
   • Use via: npx @cc-audit/cc-audit check ./my-skill/

Prerequisites for MCP server operation remain the same; once installed, run the server with: cc-audit serve

Notes:

• If you plan to run as MCP server in a container or automation, ensure proper network access and environment variables as required by your deployment environment.

Tips and common considerations:

• The MCP server can be started in proxy or stand-alone mode; use the serve command as the entry point.
• Configure environment variables for logging and custom MCP config paths as needed (LOG_LEVEL, MCP_CONFIG_PATH).
• If you plan to scan other artifact types (Docker, dependencies, etc.), ensure the relevant scanners are enabled in the configuration.
• For CI/CD, consider emitting SARIF/JSON outputs to integrate with security dashboards.
• If you encounter issues with permissions or network access, check container/runtime user privileges and any required API keys or secrets.
• Regularly update to the latest release to benefit from new detection rules and MCP integration improvements.