Security Auditor

April 30, 2026 · View on GitHub

A Claude Code plugin for managing a fleet of machines and running repeatable security audits over SSH. Each machine gets a persistent profile and a timestamped report history; audits can be diffed across runs to surface drift.

What it does

  • Register machines with structured profiles (SSH address, OS, privilege level, purpose).
  • Run security audits over SSH using Claude Code (or fall back to direct shell checks).
  • Persist timestamped audit reports per machine.
  • Diff successive audits to highlight new findings, resolved issues, and drift.
  • List, edit, and remove machines from the fleet.

Skills

SkillPurpose
add-machineRegister a new machine for auditing.
edit-machineUpdate an existing machine's profile.
audit-machineRun a security audit on one registered machine.
audit-allAudit every registered machine in one pass.
list-machinesList the fleet — brief, detailed, with live status, or as JSON.
view-audit-reportDisplay the latest (or a specified) audit report for a machine.
compare-auditsDiff the two most recent audits for a machine and surface what changed.
remove-machineDeregister a machine (archived to a trash dir).
onboardFirst-run setup — verify deps, create the data dir, scaffold a first machine.

Installation

claude plugins install security-auditor@danielrosehill

Or for project-scoped use:

claude plugins install security-auditor@danielrosehill --scope project

Requirements

  • bash 4.0+
  • python3 3.6+
  • ssh, scp with key-based authentication to each machine you want to audit
  • (Optional, on the remote) Claude Code — used for richer audits when present, with a shell-only fallback when not

Data storage

Machine profiles, audit reports, and the fleet log live under:

${CLAUDE_USER_DATA:-${XDG_DATA_HOME:-$HOME/.local/share}/claude-plugins}/security-auditor/data/machines/<machine-name>/

Per-machine layout:

  • claude-profile.json — structured profile
  • user-responses.json / user-responses.md — original onboarding inputs
  • readable-profile.md — human-readable narrative profile
  • audit-log.json — timestamped event log
  • reports/<timestamp>/audit-report.md — full audit reports
  • reports/latest/ → symlink to the most recent report

This data persists across plugin updates.

Audit coverage

The default audit checklist covers seven domains:

  1. Antivirus / endpoint protection presence and configuration
  2. Automatic security update status
  3. Rootkit / IOC detection tooling
  4. File and directory permission posture
  5. User account hygiene (sudo, idle accounts, password policy)
  6. Network exposure (firewall, open ports, listening services)
  7. Auxiliary hardening (fail2ban, SSH config, etc.)

The checklist is currently Linux-shaped. macOS and Windows targets work with caveats — flag any false positives via the repo's issue tracker.

Quick start

  1. /security-auditor:onboard — verifies dependencies and creates the data dir.
  2. /security-auditor:add-machine — register your first machine.
  3. /security-auditor:audit-machine <machine-name> — run the audit.
  4. /security-auditor:view-audit-report <machine-name> — read the report.

Status

Initial release: ports the upstream Claude-Code-Security-Auditor toolkit into a Claude Code plugin. The vendored bash scripts under scripts/ retain their original interface for direct use; the skills wrap them with the plugin's data-storage convention.

Licence

MIT — see LICENSE.