Supported File Types

BouncerFox scans 15 file types across three AI-agent ecosystems. This page is the authoritative reference for what each file is, which tool consumes it, and why it matters for security.

Claude Code

These files configure Claude Code, Anthropic's CLI agent.

`CLAUDE.md`

Project-level context file that Claude Code reads automatically when it starts in a directory. Contains instructions, conventions, and background information that shape the agent's behavior across the entire project.

Used by: Claude Code
Security surface: Can contain instructions that override agent behavior or inject malicious directives into the agent's context window.

`CLAUDE.local.md`

Same format as CLAUDE.md but intended for developer-specific overrides that are not committed to version control. Claude Code reads both files, with local taking precedence.

Used by: Claude Code
Security surface: Can override project-level instructions with attacker-controlled directives. Because it is typically gitignored, changes may evade code review.

`.claude/agents/*.md`

Markdown files that define named agents with specific roles, tools, and instructions. Each file creates a selectable agent persona within Claude Code.

Used by: Claude Code
Security surface: Controls which tools an agent can access and what instructions it follows, allowing an attacker to craft a malicious agent definition.

`.claude/commands/*.md`

Legacy command definitions that register slash commands within Claude Code. Each file defines a reusable prompt template that users can invoke by name.

Used by: Claude Code (legacy)
Security surface: Can embed arbitrary instructions that execute when a user invokes the command, enabling prompt injection through shared command definitions.

`.claude/settings*.json`

JSON configuration files that control Claude Code's permissions, hooks, and MCP server integrations. Glob pattern matches settings.json, settings.local.json, and similar variants.

Used by: Claude Code
Security surface: Controls which shell commands the agent can execute, which MCP servers it connects to, and which lifecycle hooks run automatically.

`.claude/rules/**/*.md`

Modular rule files with optional YAML frontmatter that scopes each rule to specific file paths. Claude Code loads matching rules based on the files being edited.

Used by: Claude Code
Security surface: Can inject context-dependent instructions that activate only when specific files are touched, enabling targeted prompt injection.

`SKILL.md`

Skill definition files with YAML frontmatter that declare reusable capabilities. Skills define a name, description, and instructional body that agents can invoke.

Used by: Claude Code
Security surface: Can contain instructions that execute in the agent's context when the skill is invoked, including shell commands or tool calls.

`.claude-plugin/plugin.json`

JSON manifest that declares a Claude Code plugin's metadata, entry points, and required permissions.

Used by: Claude Code plugin system
Security surface: Declares the permissions and capabilities a plugin requests, which may include shell access or network access.

`hooks/hooks.json`

JSON configuration that defines lifecycle hooks for Claude Code plugins. Hooks run shell commands at specific points in the agent's execution cycle (e.g., before/after tool use).

Used by: Claude Code plugin system
Security surface: Specifies shell commands that execute automatically during agent operations, enabling arbitrary code execution if tampered with.

MCP / LSP

These files configure external tool servers that AI agents connect to.

`.mcp.json`

JSON configuration that declares Model Context Protocol (MCP) servers. MCP servers expose tools, resources, and prompts that agents can call at runtime.

Used by: Claude Code, Cursor, and other MCP-compatible agents
Security surface: Controls which external servers the agent connects to and which tools become available, enabling supply-chain attacks through malicious server definitions.

`.lsp.json`

JSON configuration that declares Language Server Protocol (LSP) servers. LSP servers provide code intelligence features (completions, diagnostics, hover info) to the agent.

Used by: Claude Code and other LSP-compatible agents
Security surface: Controls which language servers the agent communicates with, allowing an attacker to route code intelligence through a malicious server.

Other AI Agents

These files configure non-Claude AI agents and assistants.

`.cursorrules`

Plain-text instruction file read by Cursor, an AI-powered code editor. Contains project-level rules and conventions that guide the Cursor agent's behavior.

Used by: Cursor
Security surface: Can contain instructions that override agent behavior or inject malicious directives into the agent's context.

`.windsurfrules`

Plain-text instruction file read by Windsurf (formerly Codeium), an AI-powered code editor. Equivalent to .cursorrules but for the Windsurf agent.

Used by: Windsurf
Security surface: Can contain instructions that override agent behavior or inject malicious directives into the agent's context.

`.github/copilot-instructions.md`

Markdown file read by GitHub Copilot to customize its behavior within a repository. Provides project-specific coding conventions and constraints.

Used by: GitHub Copilot
Security surface: Can contain instructions that influence Copilot's code suggestions across the entire repository, enabling prompt injection through a committed file.

`AGENTS.md`

Agent definition file read by Gemini in supported environments. Defines agent behavior, tools, and constraints for Google's AI agent.

Used by: Gemini
Security surface: Controls agent behavior and tool access, allowing an attacker to manipulate Gemini's actions through a committed file.

Claude Code​

CLAUDE.md​

CLAUDE.local.md​

.claude/agents/*.md​

.claude/commands/*.md​

.claude/settings*.json​

.claude/rules/**/*.md​

SKILL.md​

.claude-plugin/plugin.json​

hooks/hooks.json​

MCP / LSP​

.mcp.json​

.lsp.json​

Other AI Agents​

.cursorrules​

.windsurfrules​

.github/copilot-instructions.md​

AGENTS.md​