Security
Security model and vulnerability reporting for Claude Code Setup.
Trust Model
Claude Code Setup modifies files in ~/.claude/ and ~/.claude.json. Understanding the trust model:
What We Install
| Component | Source | Trust Level |
|---|---|---|
| CLAUDE.md templates | This repo | Reviewed |
| Commands | This repo | Reviewed |
| Skills | This repo | Reviewed |
| MCP servers | npm packages | Third-party |
| Custom modules | User-provided Git | User responsibility |
User Responsibility
- Custom modules: You’re responsible for reviewing custom module repositories before using
/add-custom - API keys: Store in environment variables or
.envfiles, never in CLAUDE.md - MCP servers: npm packages are third-party; review before enabling
Best Practices
API Keys
Never put secrets in CLAUDE.md:
<!-- BAD - Don't do this -->
API_KEY=sk-secret-123
<!-- GOOD - Reference location -->
API keys are in ~/.config/secrets/.envCustom Modules
Before installing custom modules:
- Review the repository
- Check the SKILL.md and MCP configs
- Verify the source is trusted
File Permissions
The installer creates files with default permissions. For sensitive configs:
chmod 600 ~/.claude.json # Restrict MCP config with API keysVulnerability Reporting
Found a security issue?
- Do not open a public issue
- Use GitHub’s private vulnerability reporting
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
We’ll respond within 48 hours.
Security Updates
Security fixes are released as soon as possible:
- Patch is developed and tested
- Released with
fix(security):commit - Users update via
/claude-code-setup
Check the Changelog for security updates.
Auditing
Check Installed Modules
./install.sh --listReview MCP Configuration
cat ~/.claude.jsonCheck Custom Modules
ls ~/.claude/custom/
cat ~/.claude/installed.json