AI Security

Mar 5, 2026

A Security Audit for Your Claude Code Setup

Written by: Ryan Kris, Chief AI Officer, simplefy.ai



If you use Claude Code with MCP servers, OAuth tokens, or third-party plugins, you should know what's actually exposed on your machine.

MCP servers run locally with your credentials. OAuth tokens sit on disk. Permissions accumulate session after session. And there's no built-in way to audit any of it.

At simplefy.ai, we built local-security to give you and your team that visibility. It's not a security scanner or intrusion detection system — it's a hygiene audit that catches preventable issues before they become problems.



What It Does

Two skills, different jobs.

/local-security:local-setup scans your environment and generates a security assessment. It discovers every MCP server, inventories your credential files, maps your Anthropic privacy settings, and classifies each server's trust level. Discovery only — it documents what exists without judging it.

/local-security:local-review runs automated checks and flags issues. Disk encryption, dependency vulnerabilities, file permissions, embedded credentials in permission entries, unpinned remote servers, stale tokens. Each check reports PASS, WARN, or FAIL. Run it monthly or after any configuration change.



Three Risks That Matter

Everything this plugin checks maps to three real risks for local Claude Code setups:

  1. Supply chain — Is the code running with your credentials auditable and trusted? Unaudited MCP servers pulled from PyPI or npm could intercept tokens or log data.

  2. Credential storage — Are your OAuth tokens and API keys properly protected on disk? File permissions and gitignore coverage matter.

  3. Scope creep — Do your MCP tools have broader access than they need? Write tools with global scope let Claude modify external systems from any project.

Wire encryption and provider-side security are handled by TLS. This plugin focuses on what you control locally.



Install

Two commands inside Claude Code:

/plugin marketplace add simplefy-ai/local-security
/plugin install local-security@simplefy-ai
/plugin marketplace add simplefy-ai/local-security
/plugin install local-security@simplefy-ai
/plugin marketplace add simplefy-ai/local-security
/plugin install local-security@simplefy-ai

Restart Claude Code, then run /local-security:local-setup to get started.

The plugin is open source, has no dependencies, and makes no network calls. You can read every line before you run it.

Source code and documentation: github.com/simplefy-ai/local-security



Want Help With AI Security?

Safe. Simple. AI. — that's how we think every team should be able to adopt these tools. If you're an Australian SMB looking for help with AI governance, secure deployment, or building confidence in how your team uses AI — book a discovery call with our team.