Security Auditor
A Claude Code plugin for managing a fleet of machines and running repeatable security audits over SSH. Each machine gets a persistent profile and a timestamped report history; audits can be diffed across runs to surface drift.
What it does
- Register machines with structured profiles (SSH address, OS, privilege level, purpose).
- Run security audits over SSH using Claude Code (or fall back to direct shell checks).
- Persist timestamped audit reports per machine.
- Diff successive audits to highlight new findings, resolved issues, and drift.
- List, edit, and remove machines from the fleet.
Skills
| Skill | Purpose |
|---|
add-machine | Register a new machine for auditing. |
edit-machine | Update an existing machine's profile. |
audit-machine | Run a security audit on one registered machine. |
audit-all | Audit every registered machine in one pass. |
list-machines | List the fleet — brief, detailed, with live status, or as JSON. |
view-audit-report | Display the latest (or a specified) audit report for a machine. |
compare-audits | Diff the two most recent audits for a machine and surface what changed. |
remove-machine | Deregister a machine (archived to a trash dir). |
onboard | First-run setup — verify deps, create the data dir, scaffold a first machine. |
Installation
claude plugins install security-auditor@danielrosehill
Or for project-scoped use:
claude plugins install security-auditor@danielrosehill --scope project
Requirements
bash 4.0+python3 3.6+ssh, scp with key-based authentication to each machine you want to audit- (Optional, on the remote) Claude Code — used for richer audits when present, with a shell-only fallback when not
Data storage
Machine profiles, audit reports, and the fleet log live under:
${CLAUDE_USER_DATA:-${XDG_DATA_HOME:-$HOME/.local/share}/claude-plugins}/security-auditor/data/machines/<machine-name>/
Per-machine layout:
claude-profile.json — structured profileuser-responses.json / user-responses.md — original onboarding inputsreadable-profile.md — human-readable narrative profileaudit-log.json — timestamped event logreports/<timestamp>/audit-report.md — full audit reportsreports/latest/ → symlink to the most recent report
This data persists across plugin updates.
Audit coverage
The default audit checklist covers seven domains:
- Antivirus / endpoint protection presence and configuration
- Automatic security update status
- Rootkit / IOC detection tooling
- File and directory permission posture
- User account hygiene (sudo, idle accounts, password policy)
- Network exposure (firewall, open ports, listening services)
- Auxiliary hardening (fail2ban, SSH config, etc.)
The checklist is currently Linux-shaped. macOS and Windows targets work with caveats — flag any false positives via the repo's issue tracker.
Quick start
/security-auditor:onboard — verifies dependencies and creates the data dir./security-auditor:add-machine — register your first machine./security-auditor:audit-machine <machine-name> — run the audit./security-auditor:view-audit-report <machine-name> — read the report.
Status
Initial release: ports the upstream Claude-Code-Security-Auditor toolkit into a Claude Code plugin. The vendored bash scripts under scripts/ retain their original interface for direct use; the skills wrap them with the plugin's data-storage convention.
Licence
MIT — see LICENSE.
