Reviews Claude configuration files for security, structure, and prompt engineering quality. Use when reviewing changes to CLAUDE.md files (project-level or .claude/), skills (SKILL.md), agents, prompts, commands, or settings. Validates YAML frontmatter, progressive disclosure patterns, token efficiency, and security best practices. Detects critical issues like committed settings.local.json, hardcoded secrets, malformed YAML, broken file references, oversized skill files, and insecure agent tool access.
View on GitHubbitwarden/ai-plugins
claude-config-validator
January 21, 2026
Select agents to install to:
npx add-skill https://github.com/bitwarden/ai-plugins/blob/main/plugins/claude-config-validator/skills/reviewing-claude-config/SKILL.md -a claude-code --skill reviewing-claude-configInstallation paths:
.claude/skills/reviewing-claude-config/# Reviewing Claude Configuration ## Instructions **IMPORTANT**: Use structured thinking throughout your review process. Plan your analysis before providing feedback. This improves accuracy and catches critical security issues. ### Step 1: Detect File Type <thinking> Analyze the changed files: 1. Which .claude files were modified? 2. What file types? (CLAUDE.md, skills, agents, prompts, commands, settings) 3. Are there immediate security concerns? 4. What's the review scope (single file or multiple)? </thinking> Determine the primary file type(s) being reviewed: **Detection Rules**: - **Agents**: Changes to `.claude/agents/*.md` or `plugins/*/agents/*.md` - **Skills**: Changes to `skill.md` files or skill support files (checklists, references, examples) - **CLAUDE.md**: Changes to `CLAUDE.md` files (any location: project root, `.claude/`, or subdirectories) - **Prompts/Commands**: Changes to `.claude/prompts/*.md` or `.claude/commands/*.md` - **Settings**: Changes to `.claude/settings.json` or `.claude/settings.local.json` If multiple types modified, review each with appropriate checklist. ### Step 2: Execute Security Scan (ALWAYS) <thinking> Security first, regardless of file type: 1. Is settings.local.json committed to git? 2. Any hardcoded secrets (passwords, tokens, API keys)? 3. Are permissions appropriately scoped (if settings modified)? 4. Any suspicious patterns in changed files? </thinking> **CRITICAL CHECKS** (perform for ALL Claude config reviews): Run these mental checks immediately: - [ ] settings.local.json NOT in git (check changed files list) - [ ] No hardcoded credentials in any modified files - [ ] Permissions scoped appropriately (if settings.json modified) - [ ] No API keys, tokens, or passwords in plaintext **If ANY security issue found**: Flag as **CRITICAL** immediately, stop and report. Consult `reference/security-patterns.md` for detailed security checks and detection commands. ### Step 3: Load Appropriate Checklist Based on