Claude Code Plugin
Real-time threat detection, security auditing, and 10 slash commands. No account or configuration required.
Install
Two install commands in Claude Code, then a restart. Skills register immediately; hooks activate on the next Claude Code launch.
$ /plugin marketplace add agentkeeper/security$ /plugin install agentkeeperThen quit and reopen Claude Code. Hooks are loaded at startup and a full restart is required.
Source code: github.com/rad-security/agentkeeper/tree/main/plugin
What you get
Threat detection patterns
Credential exfiltration, reverse shells, prompt injection, SUID manipulation, DNS exfiltration
4 lifecycle hooks
UserPromptSubmit, PreToolUse, PostToolUse, SessionStart, every action covered
10 slash commands
Security auditing, secret scanning, plugin inspection, session recap
Warn or block
Default is warn (flag but don't stop). Switch to block with /agentkeeper:setup
Zero network calls
Local mode: everything runs on your machine. No telemetry, no account needed.
Fail-open design
Detection errors never block your workflow. Tools keep working no matter what.
Slash commands
| Command | Description |
|---|---|
/agentkeeper:audit | Run a full security audit (setup compliance, secret scanning, supply chain) |
/agentkeeper:connect | Connect to dashboard, write HTTP hooks to settings.json |
/agentkeeper:disconnect | Remove hooks and API key |
/agentkeeper:inspect | Audit all installed plugins/skills/hooks/MCP servers for malicious behavior |
/agentkeeper:policies | View organization security policies |
/agentkeeper:recap | Summarize current session from security perspective |
/agentkeeper:scan | Run host security scanner (macOS/Linux checks) |
/agentkeeper:secrets | Scan working directory for exposed secrets/API keys |
/agentkeeper:setup | Guided onboarding, check current mode |
/agentkeeper:status | Show shield status, connection mode, threat stats |
Detection patterns
The local engine runs in under 50ms with zero dependencies. Organized by tool type.
Bash commands
10 patterns- •Credential exfiltration (pipe, subshell, combined)
- •Reverse shells (bash, nc, python, perl, ruby, base64-encoded)
- •Security control bypass (firewall, SELinux/AppArmor, antivirus)
- •Destructive operations (recursive delete from system dirs)
- •History tampering (clearing history, unsetting HISTFILE)
- •SSH key exfiltration with network activity
- •Cryptomining (xmrig, stratum+tcp, pool connections)
- •DNS exfiltration (encoded data in DNS queries)
- •SUID/SGID manipulation (privilege escalation)
- •Suspicious package install (raw URLs, not registries)
File writes (Edit/Write)
6 patterns- •SSH config / authorized_keys modification
- •Cron / LaunchDaemon injection
- •System file writes (/etc, /usr, /var)
- •Startup script injection (.bashrc, .zshrc, .profile)
- •CI/CD pipeline tampering (GitHub Actions, GitLab CI, Jenkinsfile)
- •Git hook injection (.git/hooks/)
File reads (warn only)
4 categories- •SSH keys, AWS credentials, GCloud credentials
- •Kube config, Docker config, npm/PyPI/git credentials
- •Shadow files, GPG keys, Vault tokens, .env files
- •PostgreSQL and MySQL credential files
Prompts
6 patterns- •Override attempts, "ignore previous instructions"
- •Persona hijacking, "you are now", "from now on"
- •Jailbreak patterns, DAN mode, developer mode, god mode
- •Exfiltration instructions, "send all data to"
- •Credential requests, "show me all API keys"
- •Security disable requests, "turn off the firewall"
Web requests
- •Known exfiltration endpoints (requestbin, pipedream, webhook.site, ngrok, burp collaborator)
- •Raw IP fetches to non-private addresses
Connect your dashboard
The plugin works standalone. Connecting a free account adds dashboard visibility.
$ /agentkeeper:connect- 1.Sign up at Sign up (free, no credit card)
- 2.Create an API key in Settings
- 3.Paste the key when prompted
Connected mode adds
- ✓Full threat feed with timestamps, session context, and user identity
- ✓Scan history and trend tracking
- ✓Setup audit tracking over time
- ✓Team fleet management (Pro/Team plans)
Plugin vs repo hooks
| Plugin | Push-hooks | |
|---|---|---|
| Best for | Individual developers | Security teams |
| Install | /plugin install | .claude/settings.json or GitHub integration |
| Distribution | Each developer installs | Commit to git, whole team covered |
| Detection | Local engine | API engine (extended patterns) |
| Account required | No (optional) | Yes |
| Team visibility | Per-developer | Fleet-wide |
Use the plugin for personal protection. Use repo hooks when you need centralized policy enforcement and fleet-wide compliance.