quietscope is a premium, privacy-first, local-only defensive audit dashboard and CLI security analyzer for system security settings, storage hygiene, and local AI-agent risk surfaces.
In the era of AI coding assistants (like Cursor, Claude Code, Cline, and aider), your local filesystem is exposed to new risk vectors: malicious auto-loaded instructions (.cursorrules, CLAUDE.md), permissive local MCP server configurations, and exposed API tokens. quietscope inventories these risks, checks standard OS security parameters, performs safe dry-run cleanups, and generates a self-contained interactive HTML dashboard—100% locally with zero telemetry.
Important
Privacy-First Local Guarantee
- Zero Telemetry: No tracking, no phone-home, no cookies, and no third-party CDN assets.
- Exposed Secrets Obfuscation: Environment variables with sensitive credentials (e.g.,
ANTHROPIC_API_KEY) are dynamically masked (***MASKED***) in the report DOM. We never read private keys, SSH files, or actual.envcontents. - Safe Execution: All OS command evaluations pass through a strict argument-array runner without launching shell wrappers like
sh -c.
- 🤖 AI & MCP Agent Security Audit: Inspects settings for Cursor, Claude Desktop/Code, Gemini, Antigravity, Cline/Roo, aider, LM Studio, and Ollama. Flags unsafe execution permissions, remote unpinned packages, and credentials exposed in agent rules.
- 🗃️ AI Skills & Rules Inventory: Scans
.cursorrules,.cursor/rules,CLAUDE.md,AGENTS.md,GEMINI.md,.agents,.gemini/skills, and manifests to estimate context impact and flag prompt-injection or suspicious patterns. - 🕹️ AI Control Center: Local web, desktop, and HTML reports now expose manageable skills/guides/rules/prompts, MCP servers, caches, and models with preview/diff/backup-first actions. Static HTML reports show the same actions disabled with clear reasons.
- 🛡️ System Security Audit: Audits SIP, Gatekeeper, FileVault, sharing services, SSH configurations, cron persistence, and OS auto-updates (fully optimized for macOS; initial modules for Linux systemd/sudoers and Windows Defender/UAC).
- 🧹 Storage Hygiene & Safe Cleanup: Scans system logs, caches, Xcode DerivedData, simulator footprints, and package manager wastes. Provides a safe dry-run first and requires explicit verification to delete anything.
- 🌐 Local Web Controller & HTML UI: Runs a local control server (
127.0.0.1only) to configure, execute, and view beautifully structured interactive audits. - 🎨 Wails Desktop Application: Developer preview of a fully native, glassmorphic cross-platform GUI wrapper.
- Every write, delete, disable, cleanup, and restore action goes through allowlist checks, symlink blocking, preview/diff, and a backup created before mutation.
- MCP server changes are structural for JSON, TOML, and YAML configs. Quietscope lists
mcpServers,servers,command,args,envkeys,serverUrl, and related URL/transport fields without executing any discovered command. - Skills, guides, rules, and prompts can be read or edited only when they are safe text artifacts under known AI-tool paths or the selected project root. Secret paths,
.envfiles, Keychain data, and SSH/private keys are blocked. - Caches/logs are marked cleanable only when they match the cleanup allowlist. Local model directories are manual-only by default, even when they are large.
# Clone the repository
git clone https://github.com/hemp-dev/quietscope.git
cd quietscope
# Build CLI core
go build -o quietscope ./cmd/quietscope# Run a safe, non-root system & AI audit generating all report formats
./quietscope --all-reports --no-sudo
# Open the self-contained local HTML report
open ~/Desktop/quietscope-desktop-audit-*/report.html# Start the local controller on localhost:8080
./quietscope --ui| Command Flag | Description | Default / Details |
|---|---|---|
--all-reports |
Save TXT, JSON, and HTML reports in the output directory. | Enabled by default |
--ui |
Start local audit control UI on a local loopback server. | 127.0.0.1:8080 only |
--deep |
Enable deeper security scan of project file contents. | Off |
--no-sudo |
Do not invoke or request sudo permissions. | Recommended for daily scans |
--clean-dry-run |
List cleanable system caches and logs without deleting anything. | Safe dry-run |
--clean-confirm |
Execute cleanup (requires typing interactive safety phrase). | Interactive only |
--output DIR |
Custom directory to save generated reports. | ~/Desktop |
--project-root DIR |
Scan an additional local codebase for risky .cursorrules files. |
Optional |
--max-file-size-mb N |
Limit size of scanned text files in Megabytes. | 5 |
--version |
Print quietscope version. | - |
| Operating System | Support Level | Core Scans Available |
|---|---|---|
| 🍏 macOS (Darwin) | Full (Primary) | SIP, Gatekeeper, FileVault, launchd persistence, permissions, cache cleanup, AI/MCP audit, interactive HTML. |
| 🐧 Linux | Initial Support | systemd units, cron paths, SSH/sudoers metadata, autostart entries, cache dry-run, AI/MCP audit. |
| 🪟 Windows | Basic Support | Defender, Firewall, UAC status, startup folder registries, local model inventory, basic reports. |
We are building a beautiful native desktop app using Wails. To compile and test it:
- Install Wails CLI:
go install github.com/wailsapp/wails/v2/cmd/wails@latest
- Navigate to
desktop/and run dev hot-reloading:cd desktop wails dev - To compile a native production binary:
wails build
Contributions are welcome! Please read CONTRIBUTING.md to learn how to add new security checks, write cross-platform checks, or improve the Wails UI.
This project is licensed under the MIT License - see the LICENSE file for details.