open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

feat(llm-security): add toxic-agent-demo example for TFA scanner [skip-docs]

Browse source 
Single-component lethal-trifecta walkthrough that drives
scanners/toxic-flow-analyzer.mjs against a deliberately
misconfigured fixture plugin. The fixture agent declares
tools: [Bash, Read, WebFetch], which alone covers all three
trifecta legs (input surface + data access + exfil sink). No
hooks/hooks.json is shipped, so TFA's mitigation logic finds
no active guards and emits a CRITICAL "Lethal trifecta:"
finding without downgrade.

Plugin marker is plugin.fixture.json (recognised by isPlugin())
rather than .claude-plugin/plugin.json — the latter is blocked
by the plugin's own pre-write-pathguard hook, and
plugin.fixture.json exists in isPlugin() specifically so
example fixtures can self-mark without touching guarded paths.

Three independent assertions (3/3 must pass): direct trifecta
present and CRITICAL; finding mentions the exfil-helper
component; description confirms "no hook guards detected"
(proves the mitigation path stayed inactive). expected-findings.md
documents the contract.

OWASP / framework mapping: ASI01, ASI02, ASI05, LLM01, LLM02, LLM06.

Docs updated: plugin README "Other runnable examples", plugin
CLAUDE.md "Examples" tabellen, CHANGELOG [Unreleased] Added.
[skip-docs] is appropriate because examples don't change what
the plugin "synes å dekke utad" — marketplace root README is
unaffected.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen 2026-05-05 15:15:04 +02:00
commit 92fb0087fa
8 changed files with 422 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
plugins/llm-security/README.md
View file

@ -528,6 +528,16 @@ demonstrations — each with `README.md`, fixture, run script, and
`bash-normalize` strips the evasion. T8 has its own BLOCK_RULE.
Run:
`node examples/bash-evasion-gallery/run-evasion-gallery.mjs`
- **`toxic-agent-demo/`** — single-component lethal trifecta detected
by the `toxic-flow-analyzer` (TFA). A fixture agent with
`tools: [Bash, Read, WebFetch]` covers all three trifecta legs
(untrusted input + sensitive data access + exfil sink), and the
fixture deliberately ships no `hooks/hooks.json` so TFA emits a
CRITICAL `Lethal trifecta:` finding without mitigation downgrade.
Uses `plugin.fixture.json` as the plugin marker so the example
doesn't trip `pre-write-pathguard` on `.claude-plugin/`. Maps to
ASI01 / ASI02 / ASI05 / LLM01 / LLM02 / LLM06. Run:
`node examples/toxic-agent-demo/run-toxic-flow.mjs`
---