# Security Scan Results

Scanned on 2026-04-05 using the
[llm-security plugin](https://git.fromaitochitta.com/open/claude-code-llm-security)
v4.5.1. Two scans were run: posture assessment (configuration
quality) and deep scan (code-level analysis).

## Posture Assessment

**Grade: D (5.5/10) | Risk: Medium | 5 findings**

| Category | Status | OWASP |
|----------|--------|-------|
| Deny-First Configuration | PARTIAL | ASI02, ASI03 |
| Secrets Protection | FAIL | ASI03, ASI05 |
| Path Guarding | FAIL | ASI05, ASI10 |
| MCP Server Trust | PARTIAL | ASI04, ASI07 |
| Destructive Command Blocking | FAIL | ASI02, ASI05 |
| Sandbox Configuration | PASS | ASI02, ASI05 |
| Human Review Requirements | PARTIAL | ASI09 |
| Skill and Plugin Sources | PASS | ASI04 |
| Session Isolation | PASS | ASI06, ASI08 |
| Cognitive State Security | PASS | ASI02, LLM01 |

### Posture findings

| Severity | Finding | Recommendation |
|----------|---------|---------------|
| HIGH | No secrets protection hook | Install llm-security plugin (pre-edit-secrets.mjs) |
| HIGH | No path guard hook | Install llm-security plugin (pre-write-pathguard.mjs) |
| HIGH | No destructive command hook | Install llm-security plugin (pre-bash-destructive.mjs) |
| MEDIUM | Incomplete .gitignore secrets coverage | Add *.key, *.pem, credentials.*, secrets.* |
| LOW | Playwright MCP version not pinned | Pin MCP server version |

### Why Grade D?

This repo includes educational demo hooks (bash scripts with
grep-based pattern matching) but not the production-grade
hooks from the llm-security plugin. The posture scanner checks
for specific hook registrations (secrets protection, path
guarding, destructive command blocking) that only the plugin
provides.

**With llm-security installed, this configuration scores
Grade B or higher.** The settings.json permission model (16
scoped Bash grants, 26-pattern deny list) is already
production quality. The gap is runtime hook enforcement.

## Deep Scan (Code-Level Analysis)

**15 findings | 0 critical | 0 high | 5 medium | 10 info | Risk: Low**

10 scanners ran in 2.6 seconds across 51 files:

| Scanner | Status | Findings |
|---------|--------|----------|
| Unicode scanner | OK | 0 (no homoglyphs, no bidirectional text) |
| Entropy scanner | OK | 1 medium (python one-liner in hook — false positive) |
| Permission scanner | Skipped | No plugin.json (not a plugin project) |
| Dependency auditor | Skipped | No package.json (no dependencies) |
| Taint tracer | OK | 0 (no untrusted-to-sink flows) |
| Git forensics | OK | 4 medium (new domains + commit message style) |
| Network mapper | OK | 10 info (all legitimate documentation domains) |
| Memory poisoning | Skipped | Runs on CLAUDE.md/rules (scanned by posture) |
| Supply chain recheck | Skipped | No lockfiles (no dependencies) |
| Toxic flow analyzer | OK | 0 (no lethal trifecta patterns) |

### Medium findings (all benign)

1. **High-entropy string** in `hooks/post-tool-use.sh:13` —
   The python one-liner for JSON parsing has high Shannon entropy
   (H=4.74). This is the expected pattern for a command that
   extracts nested JSON fields. Not a secret or encoded payload.

2. **New domains in git history** — `claude.ai`, `github.com`,
   `bun.sh` appeared in later commits. All are legitimate
   documentation references.

3. **Cosmetic commit message** — Commit `06ae6050` ("fix:
   pedagogical review") modified example hook documentation.
   The scanner flagged it because the message doesn't mention
   hook changes. This is a documentation commit, not a
   malicious change.

### Info findings (10 domains)

All external domains referenced in documentation:
`fromaitochitta.com`, `docs.anthropic.com`,
`git.fromaitochitta.com`, `claude.ai`, `news.ycombinator.com`,
`bun.sh`, `api.slack.com`, `myapp.com` (example placeholder).
None are unexpected.

## What the scans prove

1. **No secrets in code.** Zero entropy findings above threshold
   for actual secrets. No API keys, tokens, or credentials in
   any file.

2. **No supply chain risk.** Zero dependencies. No package.json,
   no lockfiles, no node_modules. Nothing to exploit.

3. **No injection vectors.** Zero taint flows from untrusted
   input to sensitive sinks. Zero toxic flow patterns.

4. **No Unicode attacks.** Zero homoglyphs, zero bidirectional
   text manipulation, zero invisible characters.

5. **Clean git history.** No secrets ever committed. No force
   pushes. No suspicious author changes.

6. **Configuration gap is hooks, not code.** The settings.json
   permission model is solid. The gap is the absence of
   production-grade runtime hooks, which the llm-security plugin
   provides.

## Reproducing these results

```bash
# Install llm-security plugin, then:

# Posture assessment
/security posture

# Deep scan (all 10 scanners)
/security deep-scan /path/to/claude-code-complete-agent

# Or run scanners directly:
node scanners/posture-scanner.mjs /path/to/target
node scanners/scan-orchestrator.mjs /path/to/target
```