open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

feat(llm-security-copilot): port llm-security v5.1.0 to GitHub Copilot CLI

Browse source 
Full port of llm-security plugin for internal use on Windows with GitHub
Copilot CLI. Protocol translation layer (copilot-hook-runner.mjs)
normalizes Copilot camelCase I/O to Claude Code snake_case format — all
original hook scripts run unmodified.

- 8 hooks with protocol translation (stdin/stdout/exit code)
- 18 SKILL.md skills (Agent Skills Open Standard)
- 6 .agent.md agent definitions
- 20 scanners + 14 scanner lib modules (unchanged)
- 14 knowledge files (unchanged)
- 39 test files including copilot-port-verify.mjs (17 tests)
- Windows-ready: node:path, os.tmpdir(), process.execPath, no bash

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen 2026-04-09 21:56:10 +02:00
commit f418a8fe08
169 changed files with 37631 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

237
plugins/llm-security-copilot/templates/archive/plugin-audit-report.md Normal file
View file

@ -0,0 +1,237 @@
# Plugin Security Audit Report
<!--
TEMPLATE USAGE
This is the output template for `/security plugin-audit`.
The command inventories the plugin, spawns skill-scanner-agent for content analysis,
and compiles findings into this format. Fill every section with real data.
Do NOT output placeholder text. If a section has no findings, write "None identified."
-->
---
## Header
| Field | Value |
|-------|-------|
| **Plugin** | [plugin name from manifest] |
| **Version** | [version from manifest, or "not specified"] |
| **Author** | [author from manifest, or "not specified"] |
| **Path** | [absolute or relative path to plugin root] |
| **Audit date** | [ISO 8601 — e.g. 2026-02-19] |
| **Auditor** | llm-security v[X.X] — plugin-audit |
---
## Plugin Metadata
| Field | Value |
|-------|-------|
| **Description** | [description from manifest] |
| **Auto-discover** | [true / false] |
| **Commands** | [count] |
| **Agents** | [count] |
| **Hook events** | [count of registered events] |
| **Skills** | [count] |
| **Knowledge files** | [count] ([total lines] lines) |
| **Templates** | [count] |
| **Total files** | [count of all files in plugin directory] |
---
## Component Inventory
### Commands
| Name | Allowed Tools | Model | Flags |
|------|---------------|-------|-------|
| `[command name]` | [Read, Write, Bash, ...] | [sonnet/opus] | [Bash / Bash+Write / Task / none] |
### Agents
| Name | Tools | Model | Flags |
|------|-------|-------|-------|
| `[agent name]` | [Read, Glob, Grep, ...] | [sonnet/opus] | [Bash / Bash+Write / Task / none] |
### Hooks
| Event | Matcher | Script | Behavior | Flags |
|-------|---------|--------|----------|-------|
| [PreToolUse] | [Edit\|Write] | [scripts/pre-edit-secrets.mjs] | [block / warn / advisory] | [state-modify / network / env-access / none] |
### Skills
| Name | Reference files |
|------|----------------|
| `[skill name]` | [count] |
> If no components exist for a type, write "None" and omit the table.
---
## Permission Matrix
Aggregated tool access across all commands and agents:
| Tool | Granted to | Risk level | Justification needed |
|------|-----------|------------|---------------------|
| **Bash** | [list of commands/agents] | High | Yes — can execute arbitrary commands |
| **Write** | [list] | Medium | If combined with Bash |
| **Task** | [list] | Medium | Can spawn sub-agents with own permissions |
| **Edit** | [list] | Low | Modifies existing files only |
| **Read** | [list] | Low | Read-only access |
| **Glob** | [list] | Low | File discovery only |
| **Grep** | [list] | Low | Content search only |
**Permission flags:**
| Flag | Components | Assessment |
|------|-----------|------------|
| Bash access | [list] | [Justified: hook enforcement / Unjustified: no clear need] |
| Bash + Write | [list] | [Justified / Unjustified] |
| Task spawning | [list] | [Justified: multi-agent audit / Unjustified] |
| Opus for simple tasks | [list or "none"] | [Appropriate / Over-specified] |
> If all permissions are justified, write: "All tool grants are consistent with declared component purposes."
---
## Hook Safety Analysis
**Events intercepted:** [comma-separated list — e.g. PreToolUse, PostToolUse, Stop]
| Category | Count | Assessment |
|----------|-------|------------|
| Block hooks (reject operations) | [n] | [Expected for security plugins] |
| Warn hooks (advisory only) | [n] | [Low risk — informational] |
| State-modifying hooks | [n] | [Requires review — hooks should be read-only or block-only] |
| Network-calling hooks | [n] | [High concern — hooks should not phone home] |
| SessionStart hooks | [n] | [Runs every session — verify purpose] |
**Script analysis summary:**
- [script-name.mjs]: [1-line description of what it does and risk assessment]
> If no hooks are registered, write: "No hooks registered. The plugin does not intercept any operations."
---
## Security Findings
Findings from skill-scanner-agent, sorted Critical → High → Medium → Low → Info.
Each finding ID is formatted `SCN-[NNN]`.
### Critical
> No Critical findings — omit this section if empty.
| ID | Category | File | Line | Description | OWASP Ref |
|----|----------|------|------|-------------|-----------|
| SCN-001 | [Category] | [path] | [Ln] | [Description] | [LLM0X / ASI0X] |
### High
> No High findings — omit this section if empty.
| ID | Category | File | Line | Description | OWASP Ref |
|----|----------|------|------|-------------|-----------|
### Medium
> No Medium findings — omit this section if empty.
| ID | Category | File | Line | Description | OWASP Ref |
|----|----------|------|------|-------------|-----------|
### Low / Info
| ID | Category | File | Description |
|----|----------|------|-------------|
> Follow same detail block format as scan-report.md for findings that need elaboration.
---
## Trust Verdict
**Verdict: [Install / Review / Do Not Install]**
| Criterion | Status |
|-----------|--------|
| Zero Critical findings | [PASS / FAIL] |
| Zero High findings | [PASS / FAIL — if FAIL, Review] |
| All hooks transparent (block/warn only) | [PASS / FAIL] |
| No state-modifying hooks | [PASS / FAIL] |
| No network-calling hooks | [PASS / FAIL] |
| Permissions justified | [PASS / FAIL] |
| No exfiltration patterns | [PASS / FAIL] |
| No persistence mechanisms | [PASS / FAIL] |
| No hidden instructions | [PASS / FAIL] |
**Verdict rationale:** [2-3 sentences explaining the verdict based on the criteria above.]
**Recommendations:**
- [If Install: "Safe to add to enabledPlugins." + any minor suggestions]
- [If Review: List specific items to investigate before installing]
- [If Do Not Install: List critical concerns and what would need to change]
---
## Footer
| Field | Value |
|-------|-------|
| llm-security version | [e.g. 0.1.0] |
| Assessment engine | skill-scanner-agent (7 threat categories) |
| OWASP references | LLM Top 10 (2025), Agentic AI Top 10 |
| Components analyzed | [total count of files scanned] |
| Report generated | [ISO 8601 timestamp] |
---
<!--
VERDICT DECISION LOGIC (for the command filling in this template)
INSTALL — all of:
- Zero Critical findings
- Zero High findings
- All hooks are transparent (block or warn behavior, no state modification)
- All permissions are justified for declared purposes
- No evidence of exfiltration, persistence, toolchain manipulation, or hidden instructions
REVIEW — any of:
- One or more High findings
- Hooks that modify state (write files, set env vars)
- Excessive tool grants without clear justification (e.g. Bash on a read-only agent)
- Unclear or missing author/version metadata
- SessionStart hooks with non-trivial logic
DO NOT INSTALL — any of:
- One or more Critical findings
- Evidence of data exfiltration (network calls with user data)
- Persistence mechanisms (writes to ~/.claude/, modifies settings)
- Hidden instructions (encoded directives, steganographic content)
- Toolchain manipulation (modifies other plugins, hooks, or settings)
- Tool poisoning via agent/command descriptions
PERMISSION RISK SCORING (informational, not used for verdict)
Bash access: +3 per component
Write + Bash combo: +5 per component
Task spawning: +2 per component
Opus model: +1 per component (cost concern, not security)
Read/Glob/Grep: +0
Score 0-5: Low risk
Score 6-15: Medium risk
Score 16+: High risk (review all grants)
FINDING CATEGORIES (same as scan-report.md)
- Secrets, Injection, Permissions, Supply Chain, MCP Trust,
Destructive, Output Handling, Other
SEVERITY CLASSIFICATION
Critical — Active threat: hidden LLM directives, exfiltration, credential harvesting,
persistence, toolchain manipulation
High — Significant risk: path traversal, unjustified Bash+Write, known vuln patterns
Medium — Meaningful risk: excessive permissions, missing validation, unclear purpose
Low — Informational: unlocked versions, missing docs, minor best-practice gaps
-->