Skill

audit-settings

Audits Claude Code settings.json files for syntax, schema compliance, permissions, sandbox settings, env vars, and exposed secrets. Validates configs before deployment.

VS Code

Bash

code-quality

security

developer-tools

npx claudepluginhub melodic-software/claude-code-plugins --plugin claude-ecosystem

Configuration

Model: opus

Tool Access

This skill is limited to using the following tools:

ReadBashGlobGrepTask

Preview

Audit Claude Code settings.json files for quality, compliance, and security.

SKILL.md

Similar Skills

claudit

Audits Claude Code configurations for best practices in skills, instructions, MCP servers, hooks, plugins, security, over-engineering, and context efficiency via file scans and focused checks. Invoke with /claudit [focus-area].

3 files8 tools

claudit

audit-rules

Audits .claude/rules/*.md files for quality, compliance, glob validity, naming, and structure using subagents. Use when creating, validating rules, or troubleshooting loading issues.

5 tools

claude-ecosystem

meta-audit

Audits Claude subagent configurations in .claude/agents/ for frontmatter completeness, tool assignment security, privilege risks, and naming consistency.

3 tools

agent-patterns-plugin

Stats

Parent Repo Stars40

Parent Repo Forks6

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Audit Settings Command

Audit Claude Code settings.json files for quality, compliance, and security.

Initialization

Before auditing, initialize the environment:

Get the current UTC date, capture the project root path, ensure the temp directory exists, and clean up stale audit files. The settings-management skill provides authoritative validation guidance (auto-loaded when this command runs).

What Gets Audited

JSON syntax validity
Schema compliance (valid settings options)
Permission rules configuration
Sandbox settings
Environment variable configuration
Security (no exposed secrets)

Command Arguments

Argument	Description
(none)	Audit all discoverable settings files
`project`	Only audit `.claude/settings.json`
`user`	Only audit `~/.claude/settings.json`
`all`	Audit all scopes explicitly
`--force`	Audit regardless of modification status
`--skip-validation`	Skip finding validation (faster, but may include false positives)

Step 1: Discover Settings Files

Check project settings (.claude/settings.json), user settings (~/.claude/settings.json on Unix, %USERPROFILE%\.claude\settings.json on Windows), and plugin settings in marketplace repos.

Step 2: Parse Arguments

Parse scope selector and --force flag. Filter files to match requested scope.

Step 3: Present Audit Plan

Display mode, files discovered, and list with scope and last modified date.

Step 4: Execute Audits

For each file, spawn the settings-auditor subagent with scope, path, and last audit date. Run in parallel when multiple exist.

Subagents write findings to .claude/temp/. The main conversation thread collects results and updates audit logs using its Write/Edit tools.

Step 4.5: Validate Findings

Unless --skip-validation flag is present:

Spawn the audit-finding-validator agent with:
- project_root: The captured project root path
- audit_type: "settings"
- audit_files: List of .claude/temp/audit-*-settings-*.json file paths
Wait for validation to complete
Read updated JSON files with validation results
Filter out FALSE_POSITIVE findings completely before aggregation
Note: Filtered findings are logged to .claude/temp/audit-filtered-findings.json

If --skip-validation flag is present:

Skip validation phase entirely (current speed preserved)
Present all findings without filtering
Note in summary: "Validation: Skipped"

Step 5: Final Summary

Report total audited by scope, results, and details table. List security alerts with remediation.

Include validation statistics (if validation was performed):

Validation performed: Yes/No
Findings validated: X
False positives filtered: Y
Verified findings: Z
Unverified findings: W

Security Considerations

Scope	Credentials Found	Result
Project	Yes	CRITICAL - version controlled
User	Yes	WARNING - not version controlled

Project settings should NEVER contain API keys or tokens (version controlled).

Cross-Platform Paths

Platform	User Settings
Unix	`~/.claude/settings.json`
Windows	`%USERPROFILE%\.claude\settings.json`

Audit Log Location

All audit results are written to .claude/audit/settings.md.

Use /audit-log settings to view current audit status.

Example Usage

Example 1: Audit All Settings Files

User: /audit-settings

Claude: Discovering settings files...

## Audit Plan
**Mode**: SMART
**Files discovered**: 2

1. [project] .claude/settings.json
2. [user] ~/.claude/settings.json

[Spawns settings-auditor subagents]

## Audit Complete
| Scope | File | Result | Score |
| --- | --- | --- | --- |
| project | .claude/settings.json | PASS | 100/100 |
| user | ~/.claude/settings.json | PASS | 98/100 |

Example 2: Audit Project Only

User: /audit-settings project
Claude: Auditing project settings...