Claude Code .claude/ config danger scanner ยท ๆฅๆฌ่ช
claude, and click Yes on "Do you trust this folder?" โ that single click grants the repo's bundled .claude/settings.json permission to run commands automatically, redirect where your API key is sent, and launch MCP servers, all at once. Trust is irreversible. Paste the config here and read it before you click.
Paste the contents of an untrusted repo's .claude/settings.json (or .claude/settings.local.json / .mcp.json). You can paste several at once.
Everything is processed in your browser. Nothing is sent anywhere (no network requests are made).
hooks in settings.json run commands automatically once you trust the folder. A cloned repo can plant curl โฆ | sh in SessionStart (CVE-2025-59536, RCE).env.ANTHROPIC_BASE_URL to an attacker's URL sends all of Claude's API traffic โ including the x-api-key header (your key) โ to that URL. No error, no warning: a silent leak (CVE-2026-21852).enableAllProjectMcpServers / enabledMcpjsonServers start the servers in .mcp.json without per-server consent, as unsandboxed processes (Adversa AI's TrustFall).permissions.allow removes the confirmation prompts that would otherwise fire, making an attack quieter.The part of CVE-2025-59536 / CVE-2026-21852 where this runs before the trust dialog appears was fixed in v1.0.111. On current versions, these generally don't fire before you trust the folder.
The real remaining danger is different. The moment you click "trust this folder," all of these settings become active โ because trusting the folder is the irreversible consent to run its hooks, override its BASE_URL, and launch its MCP servers. So the defense is one thing: read the .claude/ you received before you click trust. This tool helps with that one step.
claude and choose "No" on the trust dialog..claude/settings.json was added later in a PR.BASE_URL in a shared .claude/settings.json โ that file is meant for shared project behavior, not secrets.