open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

feat(llm-security-copilot): port llm-security v5.1.0 to GitHub Copilot CLI

Browse source 
Full port of llm-security plugin for internal use on Windows with GitHub
Copilot CLI. Protocol translation layer (copilot-hook-runner.mjs)
normalizes Copilot camelCase I/O to Claude Code snake_case format — all
original hook scripts run unmodified.

- 8 hooks with protocol translation (stdin/stdout/exit code)
- 18 SKILL.md skills (Agent Skills Open Standard)
- 6 .agent.md agent definitions
- 20 scanners + 14 scanner lib modules (unchanged)
- 14 knowledge files (unchanged)
- 39 test files including copilot-port-verify.mjs (17 tests)
- Windows-ready: node:path, os.tmpdir(), process.execPath, no bash

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen 2026-04-09 21:56:10 +02:00
commit f418a8fe08
169 changed files with 37631 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

156
plugins/llm-security-copilot/templates/archive/mcp-audit-report.md Normal file
View file

@ -0,0 +1,156 @@
# MCP Security Audit Report
<!--
TEMPLATE USAGE
This is the output template for `/security mcp-audit`.
The mcp-scanner-agent uses this as a formatting guide — fill every section with real findings
from the 5-phase MCP analysis. Do NOT output placeholder text.
If no servers are found, state "No MCP servers configured" and skip per-server sections.
-->
---
## Header
| Field | Value |
|-------|-------|
| **Audit scope** | [List of MCP config files examined — e.g. `.mcp.json`, `~/.claude/settings.json`] |
| **Servers found** | [count] |
| **Audit date** | [ISO 8601 — e.g. 2026-02-19] |
| **Auditor** | llm-security v[X.X] — mcp-scanner-agent |
| **Analysis phases** | Tool descriptions, Source code, Dependencies, Configuration, Rug pull detection |
---
## MCP Landscape Summary
| Server | Source | Transport | Trust Rating | Critical | High | Medium | Low |
|--------|--------|-----------|--------------|----------|------|--------|-----|
| `[server-name]` | [local path / npx package / remote URL] | stdio / sse | [Trusted/Cautious/Untrusted/Dangerous] | [n] | [n] | [n] | [n] |
**Overall MCP Risk:** [Low / Medium / High / Critical]
---
## Per-Server Analysis
### Server: `[server-name]`
| Field | Value |
|-------|-------|
| **Transport** | stdio / sse |
| **Command/URL** | `[command and args, or URL]` |
| **Source** | `[resolved path or "remote package"]` |
| **Trust Rating** | [Trusted / Cautious / Untrusted / Dangerous] |
**Findings:**
| # | Severity | Category | Description | OWASP Ref |
|---|----------|----------|-------------|-----------|
| 1 | [Critical/High/Medium/Low] | [Category name] | [Finding description] | [LLM0X or ASI0X] |
**Evidence:**
```
[Exact code or config excerpt — file:line reference. Redact actual secret values.]
```
**Recommendations:**
- [Specific, actionable fix per finding]
---
[Repeat per-server section for each server discovered]
---
## Overall MCP Risk Assessment
**Risk Rating: [Low / Medium / High / Critical]**
| Criterion | Description |
|-----------|-------------|
| **Low** | All servers Trusted or Cautious, no High+ findings |
| **Medium** | One or more Cautious servers with High findings |
| **High** | One or more Untrusted servers |
| **Critical** | Any server rated Dangerous |
---
## Recommendations
### Keep (no action required)
- **`[server-name]`** — Trusted, [n] Low findings only. [Brief positive note.]
### Review before next session
- **`[server-name]`** — [Cautious/Untrusted], [specific concern to investigate]
### Remove or disable immediately
- **`[server-name]`** — Dangerous: [one-line critical finding summary]
> If all servers are Trusted with no High+ findings, write: "All MCP servers passed trust verification. No action required."
---
## Footer
| Field | Value |
|-------|-------|
| llm-security version | [e.g. 0.1.0] |
| Assessment engine | mcp-scanner-agent (5-phase analysis) |
| OWASP references | LLM Top 10 (2025), Agentic AI Top 10 |
| Config files scanned | [comma-separated list of files read] |
| Report generated | [ISO 8601 timestamp] |
---
<!--
TRUST RATING CRITERIA (for agents filling in this template)
Assign one trust rating per server based on the highest-severity finding:
Trusted — No findings above Low, all behavior matches declared purpose
Cautious — Medium findings present, minor scope excess, no active threats
Untrusted — High findings, undisclosed network access, or questionable dependencies
Dangerous — Critical findings: tool poisoning, active exfiltration, rug pull mechanisms
OVERALL RISK AGGREGATION
The overall MCP risk rating is determined by the worst-case server:
Low — All servers Trusted or Cautious with no High+ findings
Medium — At least one Cautious server with High findings
High — At least one Untrusted server
Critical — Any server rated Dangerous
SEVERITY CLASSIFICATION
Critical — Active threat, immediate exploitation risk (hidden LLM directives in tool
descriptions, active data exfiltration, credential harvesting, config
self-modification, rug pull time-bombs)
High — Significant risk, exploitation likely without mitigation (path traversal
without sanitization, rug pull mechanisms, known CVEs in direct dependencies,
undisclosed network calls to external services)
Medium — Meaningful risk, requires attention (excessive permissions vs. stated purpose,
missing input validation, remote feature flags without disclosure, plaintext
tokens in config)
Low — Informational or best-practice gap (unlocked dependency versions, missing
README documentation, overly broad but not harmful env var access)
ANALYSIS PHASES
The mcp-scanner-agent runs 5 phases per server:
Phase 1 — Tool description analysis (hidden directives, excessive length, unicode)
Phase 2 — Source code analysis (code execution, network calls, filesystem, credentials)
Phase 3 — Dependency analysis (npm/pip audit, postinstall scripts, typosquatting)
Phase 4 — Configuration analysis (permissions vs. stated purpose, auth config)
Phase 5 — Rug pull detection (dynamic metadata, self-modification, remote flags)
RECOMMENDATIONS SORTING
Group servers into exactly 3 tiers: Keep / Review / Remove.
Empty tiers should be omitted entirely.
Within each tier, sort alphabetically by server name.
-->