Last week I wrote a tiny Python linter — cc-audit — that scores a CLAUDE.md or AGENTS.md file against twelve behavior rules for AI coding agents. I ran it against 492 real public CLAUDE.md files pulled from GitHub code search. Here's what the ecosystem actually looks like. Methodology Pulled the first 500 public CLAUDE.md filename matches from GitHub code search 492 were fetchable at scan time (8 had been moved, renamed, or gated behind forks) Each file scored on 12 behavior rules via keyword-signal matching (does the file address each rule?) Separately scanned for leaked secrets (API keys, database URLs, private keys) with placeholder-aware filtering The 12 rules come from the claude-code-pro-pack baseline (Karpathy's original 4 + 8 more covering agent-orchestration failure modes): Read adjacent / existing code before writing new code Don't invent APIs, imports, or file paths Surface partial success — never silent-fail Cap per-task token budget; stop and ask when hit Match the project's existing style and…