Skip to main content
hc
Submit
Security agents · agents · 12 picks

Best security review agents for Claude

Agents focused on security review, vulnerability detection, and secure-coding enforcement for Claude.

Curated by @heyclaude-editors Updated 2026-06-19

Agents focused on security review, vulnerability detection, and secure-coding enforcement for Claude.

Compared at a glance

The top 5 picks side by side on trust, install, platform support, and disclosed notes — full rationale for each below.

FieldMCP Server Threat Modeling Agent

Source-backed agent that threat-models an MCP server before it is connected to Claude Code, covering trust verification, tool authority and side effects, prompt injection via tool output, network and credential exposure, and least-privilege mitigations, grounded in the official security docs.

Open dossier 		Sandbox Boundary Review Agent

Source-backed agent that reviews Claude Code's sandboxed Bash configuration for safe boundaries, checking filesystem allow/deny paths, network allowlists, unsandboxed escape hatches, excluded commands, and credential read scope, grounded in the official Claude Code sandboxing docs.

Open dossier 		AI Code Review Security Agent - Agents

AI-powered code review specialist focusing on security vulnerabilities, OWASP Top 10, static analysis, secrets detection, and automated security best practices enforcement

Open dossier 		MCP Authorization Boundary Review Agent

Source-backed specialist agent for reviewing remote MCP authorization boundaries, protected resource metadata, resource indicators, token audience validation, token passthrough risk, and least-privilege scopes.

Open dossier 		Claude Plugin Marketplace Reviewer Agent

A reusable agent prompt that vets a Claude Code plugin or marketplace before a team installs it. It walks source trust, the plugin's Will-install list and bundled components (skills, agents, hooks, MCP servers, commands), the context-window cost, version pinning, and the user/project/local/managed install scope.

Open dossier
Trust
Install riskReview firstReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy Safety Privacy
Categoryagentsagentsagentsagentsagents
Sourcesource-backedsource-backedsource-backedsource-backedsource-backed
AuthorJPette1783JPette1783JSONboredJSONboredJPette1783
Added2026-06-052026-06-052025-10-162026-06-052026-06-05
Platforms
Claude Code
Claude Code
Claude Code
Claude Code
Claude Code
Source repo
Safety notesThis agent assesses risk; it does not connect to or exercise the server. Connecting a new MCP server requires trust verification, which is disabled in non-interactive (-p) runs. Treat MCP tool output as untrusted content that can carry prompt-injection instructions; recommend not auto-acting on it and keeping result sizes bounded. Recommend least-privilege: explicit allow rules, confirmation for write tools, and disabling tools that are not needed. Anthropic does not security-audit MCP servers.This agent reviews sandbox configuration; it does not disable or weaken the sandbox itself. Flag broad allowWrite paths (PATH dirs, shell config), broad allowedDomains, and excludedCommands that undo isolation. Note that the default read policy can still read credential files like ~/.aws and ~/.ssh unless added to denyRead.Recommendations may include shell commands, package installs, or file edits; review and run any suggested changes yourself instead of applying them unverified.A remote MCP server can expose tools backed by user accounts, tenant data, third-party APIs, or write-capable integrations. Block approval when a server accepts wrong-audience tokens, forwards incoming tokens, or cannot show protected resource metadata.Plugins and marketplaces can execute arbitrary code with the user's privileges; recommend installing only from trusted sources and reviewing the Will-install list (commands, agents, skills, hooks, MCP/LSP servers) first. Anthropic does not control what plugins contain and cannot verify they work as intended; the official marketplace is curated but community/third-party sources are not security-audited. Recommend managed marketplace restrictions and managed scope for org-wide control, and version pinning so updates are intentional.
Privacy notesTools send whatever inputs they are called with to the server; identify what data would leave the environment and to whom. Credentials for the server must be stored securely and never committed or logged; prefer a credential proxy so the agent never sees raw secrets. Confirm the server operator's data handling and retention before sending sensitive context to it.The sandbox proxy does not inspect TLS, so a broad domain allowlist can enable exfiltration; recommend narrow domains. Recommend denyRead for credential directories and consider scrubbing provider credentials from subprocess environments. allowing the docker socket or broad unix sockets can grant host access; flag such exceptions.Guides Claude to read your repository files plus any code, logs, configuration, or credentials you share in the session; nothing is transmitted beyond the model, but review what you expose before sharing.OAuth metadata, redirect URLs, scopes, tenant IDs, token claims, and tool results may contain private account structure. Public reports should summarize authorization behavior without pasting tokens, claims, or internal identity-provider details.Bundled MCP servers and hooks can access local files and external services; review what each component reaches before approving install. A plugin's context cost is added to every turn; factor it into the review and prefer tool-search-friendly MCP plugins. Do not approve plugins whose source or components you cannot inspect; treat install as a supply-chain decision.
Prerequisites
  • The MCP server's source or documentation, transport, and tool list with input/output schemas.
  • Knowledge of who operates the server and how trusted it is.
  • The permission posture of the Claude Code project that would connect it.
  • A Claude Code project with the Bash sandbox enabled, on macOS, Linux, or WSL2.
  • Access to the sandbox settings (filesystem, network, excludedCommands) across scopes.
  • Knowledge of which paths and network domains commands legitimately need.
— none listed
  • Remote MCP server URL, intended client, and expected authorization model.
  • Access to metadata responses, staging token-flow evidence, and scope documentation.
  • Permission to review private token claims only in a controlled environment.
  • The plugin or marketplace under review (name, source repo or URL, and what it bundles).
  • Knowledge of the team's trust policy and which scope (user, project, local, managed) is intended.
  • Claude Code available to inspect the plugin's Will-install list and context-cost estimate.
Install
Config
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimedUnclaimed
  1. 01
    agents

    MCP Server Threat Modeling Agent

    Threat-model an MCP server before connecting it to Claude Code: trust, tool authority, prompt injection, credentials, and mitigations.

    Review firstSource-backedReview firstAdded 14d ago
    Safety Privacy
    Why it made the cut

    MCP Server Threat Modeling Agent is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  2. 02
    agents

    Sandbox Boundary Review Agent

    Review Claude Code sandbox boundaries: filesystem allow/deny, network allowlists, escape hatches, excluded commands, and credential reads.

    Review firstSource-backedReview firstAdded 14d ago
    Safety Privacy
    Why it made the cut

    Sandbox Boundary Review Agent is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  3. 03
    agents

    AI Code Review Security Agent - Agents

    AI-powered code review specialist focusing on security vulnerabilities, OWASP Top 10, static analysis, secrets detection, and automated s...

    Review firstSource-backedReview firstAdded 8mo ago
    Safety Privacy
    Why it made the cut

    AI Code Review Security Agent - Agents is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  4. 04
    agents

    MCP Authorization Boundary Review Agent

    Review MCP OAuth boundaries, resource metadata, token audiences, and passthrough risk.

    Review firstSource-backedReview firstAdded 14d ago
    Safety Privacy
    Why it made the cut

    MCP Authorization Boundary Review Agent is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  5. 05
    agents

    Claude Plugin Marketplace Reviewer Agent

    Vet a Claude Code plugin before install: source trust, the Will-install list, bundled components, context cost, version pinning, and scope.

    Review firstSource-backedReview firstAdded 14d ago
    Safety Privacy
    Why it made the cut

    Claude Plugin Marketplace Reviewer Agent is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  6. 06
    agents

    NanoClaw Container Isolation Review Agent

    Review a NanoClaw deployment's container isolation: mounts, per-agent scope, vaulted credentials, channel permissions, and scheduled tasks.

    Review firstSource-backedReview firstAdded 14d ago
    Safety Privacy
    Why it made the cut

    NanoClaw Container Isolation Review Agent is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  7. 07
    agents

    Claude Code Security Guidance Remediator Agent

    Audit a Claude Code setup against official security guidance and produce a ranked remediation plan: permissions, MCP trust, credentials, and hooks.

    Review firstSource-backedReview firstAdded 4d ago
    Safety Privacy
    Why it made the cut

    Claude Code Security Guidance Remediator Agent is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  8. 08
    agents

    Code Reviewer Agent - Agents

    Expert code reviewer that provides thorough, constructive feedback on code quality, security, performance, and best practices

    Review firstSource-backedReview firstAdded 9mo ago
    Safety Privacy
    Why it made the cut

    Code Reviewer Agent - Agents is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  9. 09
    agents

    MCP Remote Server Security Auditor Agent

    Review MCP server adoption in Claude Code using official security documentation.

    Review firstSource-backedReview firstAdded 3d ago
    Safety Privacy
    Why it made the cut

    MCP Remote Server Security Auditor Agent is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  10. 10
    agents

    Open Source PR Security Review Agent

    Review public OSS PRs for trust-boundary, CI, secrets, dependency, provenance, and code-security risks before maintainer approval.

    Review firstSource-backedReview firstAdded 14d ago
    Safety Privacy
    Why it made the cut

    Open Source PR Security Review Agent is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  11. 11
    agents

    Agent SDK Production Architect Agent

    Reviews Agent SDK production design — surface tier, allowedTools/permission modes, subagent isolation, session resume, cost from the result message, and sandboxed hosting.

    Review firstSource-backedReview firstAdded 14d ago
    Safety Privacy
    Why it made the cut

    Agent SDK Production Architect Agent is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  12. 12
    agents

    MCP Registry Metadata Reviewer Agent

    Pre-publish review MCP Registry server.json using official quickstart documentation.

    Review firstSource-backedReview firstAdded 3d ago
    Safety Privacy
    Why it made the cut

    MCP Registry Metadata Reviewer Agent is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

Missing a pick? Propose an edit to this list — every change goes through the same review queue as new entries.

Suggest a pick
Weekly · Sundays

Get the weekly brief

One calm read on Claude workflows. Sundays. No tracking pixels.

Unsubscribe any time. No tracking pixels. No partner blasts.