Is Claudit Sec safe to use?

Claudit Sec has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under Apache-2.0.

How do I install Claudit Sec?

Claudit Sec can be installed by cloning its GitHub repository and following the setup instructions in the README.

What AI clients work with Claudit Sec?

Claudit Sec is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse transport.

Is Claudit Sec actively maintained?

Claudit Sec is actively maintained — last commit was 18 days ago. It has 253 GitHub stars.

Claudit Sec

Name: Claudit Sec
Author: HarmonicSecurity

by HarmonicSecurity

Security audit tool for Claude Desktop and Claude Code on macOS — single-command visibility into MCP servers, extensions, plugins, connectors, scheduled tasks, and permissions.

253 0 tools GitHub

No known CVEs

Apache-2.0 license

Actively maintained

Last commit 18d ago

Works with most clients

Transport: stdio, sse

0 tools

Grade F

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "claudit-sec": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/claudit-sec)](https://mcppedia.org/s/claudit-sec)

Read me

What Claudit Sec does

Security audit tool for Claude Desktop on macOS and Windows — including CoWork, extensions, plugins, MCP servers, connectors, and scheduled tasks.

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

40/100across 5 weighted dimensions

How we score →

0255075100

−60

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Claudit Sec safe to use?: Claudit Sec has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under Apache-2.0.
How do I install Claudit Sec?: Claudit Sec can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with Claudit Sec?: Claudit Sec is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse transport.
Is Claudit Sec actively maintained?: Claudit Sec is actively maintained — last commit was 18 days ago. It has 253 GitHub stars.

Similar servers

Others in security

View all →

Evil Mcp Server93

An evil MCP server used for redteam testing

30 1

Ida Pro Mcp92

AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.

9.0k 3

io.github.jasonxkensei/xproof92

Proof primitive for AI agents on MultiversX. Anchor file hashes on-chain as verifiable proofs.

1 1

Mcpki Server92

mcpki-server is the backend infrastructure for https://www.mcpki.org, enabling secure public key management and autonomous certificate handling for large language models (LLMs).

MCP Security Weekly

Get CVE alerts and security updates for Claudit Sec and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "claudit-sec": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/claudit-sec)](https://mcppedia.org/s/claudit-sec)

Read me

What Claudit Sec does

Security audit tool for Claude Desktop on macOS and Windows — including CoWork, extensions, plugins, MCP servers, connectors, and scheduled tasks.

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

README

🛡️ CLAUDIT-SEC

Security audit tool for Claude Desktop on macOS and Windows — including CoWork, extensions, plugins, MCP servers, connectors, and scheduled tasks.

One command. Full visibility. Read-only.

⚠️ Windows support is a work in progress. We're aware of a few kinks and bugs and wanted to get something out sooner rather than later. Community feedback and contributions are welcome.

🤔 Why

Claude Desktop introduces a new class of endpoint risk: AI agents with autonomous execution, persistent scheduled tasks, MCP server integrations, browser-control extensions, and OAuth-authenticated connectors to external services. Most of this configuration lives in JSON files scattered across multiple directories with no centralised visibility.

CLAUDIT gives you that visibility in a single command.

📝 A note on "Code": Claude Desktop includes a built-in agent coding feature called Code (visible in the app's sidebar). This is not the same as Claude Code, the standalone terminal CLI. CLAUDIT primarily audits Claude Desktop and its CoWork features. It does include a basic check of the Claude Code settings file (~/.claude/settings.json on macOS, %USERPROFILE%\.claude\settings.json on Windows), but the focus is squarely on the Desktop app.

📋 What It Audits

Area	What's Checked
🖥️ Desktop Settings	`keepAwakeEnabled`, sidebar/menuBar preferences
🤖 CoWork Settings	Scheduled tasks, web search, browser use, dispatch (mobile→desktop), network mode, egress policy, enabled plugins, marketplaces
🏢 Workspaces	Multi-workspace detection, account names, session counts, org indicators (DXT-managed, org-plugins, dispatch-bridge)
🔌 MCP Servers	Server names, commands, arguments, environment variable keys
🧩 Extensions (DXT)	Installed extensions, signature status, dangerous tool grants
⚙️ Extension Settings	Per-extension allowed directories and configuration
🚦 Extension Governance	Allowlist enabled/disabled, blocklist entries
📦 Plugins	Installed, remote (org-deployed), cached (downloaded)
🪝 Plugin Hooks	Lifecycle hooks executing shell commands (PreToolUse, PostToolUse, Stop, etc.)
🔗 Connectors	OAuth-authenticated web services, desktop integrations
🎯 Skills	User-created, scheduled, session-local, and plugin skills across 9 paths
⏰ Scheduled Tasks	Task names, cron expressions (with plain English translation)
🔐 App Config	Network mode, extension allowlist/blocklist keys, device identifiers
📲 Dispatch	Bridge state (OFF/CONFIGURED/ON), active session detection via `hostLoopMode` and `bridge-state.json`
🔇 Disabled MCP Tools	Per-session tools explicitly disabled (with dangerous tool callout)
🏃 Runtime State	Running processes, sleep assertions, LaunchAgents, crontab entries
🍪 Cookies	`Cookies` and `Cookies-journal` presence

📖 For a detailed breakdown of every individual check, what it means, and why it matters, see the Findings Reference.

⚡ Getting Started

Prerequisites

macOS:

Requirement	How to check	How to install
🍎 macOS	You're on a Mac	—
🐚 zsh	`zsh --version`	Ships with macOS since Catalina
🔧 jq	`jq --version`	`brew install jq`

Windows:

Requirement	How to check	How to install
🪟 Windows 10/11	You're on a PC	—
⚡ PowerShell 5.1+	`$PSVersionTable.PSVersion`	Ships with Windows 10+
—	No additional dependencies	Fully self-contained

Install & Run

macOS:

git clone https://github.com/HarmonicSecurity/claudit-sec.git
cd claudit-sec
chmod +x claude_audit.sh
./c

... [View full README on GitHub](https://github.com/HarmonicSecurity/claudit-sec#readme)

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

40/100across 5 weighted dimensions

How we score →

0255075100

−60

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Claudit Sec safe to use?: Claudit Sec has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under Apache-2.0.
How do I install Claudit Sec?: Claudit Sec can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with Claudit Sec?: Claudit Sec is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse transport.
Is Claudit Sec actively maintained?: Claudit Sec is actively maintained — last commit was 18 days ago. It has 253 GitHub stars.

Similar servers

Others in security

View all →

Evil Mcp Server93

An evil MCP server used for redteam testing

30 1

Ida Pro Mcp92

AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.

9.0k 3

io.github.jasonxkensei/xproof92

Proof primitive for AI agents on MultiversX. Anchor file hashes on-chain as verifiable proofs.

1 1

Mcpki Server92

mcpki-server is the backend infrastructure for https://www.mcpki.org, enabling secure public key management and autonomous certificate handling for large language models (LLMs).

MCP Security Weekly

Get CVE alerts and security updates for Claudit Sec and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?