feat: initial open marketplace with llm-security, config-audit, ultraplan-local

plugins/llm-security/commands/plugin-audit.md

@@ -0,0 +1,64 @@
+---
+name: security:plugin-audit
+description: Audit a Claude Code plugin for security risks, permission analysis, and trust assessment before installation
+allowed-tools: Read, Glob, Grep, Bash, Agent
+model: sonnet
+---
+
+# /security plugin-audit [path|url]
+
+Audit a Claude Code plugin for security before installation. Accepts local paths or GitHub URLs.
+
+## Step 1: Resolve Target
+
+- If `$ARGUMENTS` contains `--branch <name>` → strip it, set `branch = <name>`
+- If `$ARGUMENTS` starts with `https://github.com/` or `git@github.com:` →
+    Run: `node <plugin-root>/scanners/lib/git-clone.mjs clone "<url>" [--branch <branch>]`
+    If exit code != 0 → show error to user and **STOP**
+    Set `clone_path` = stdout (trimmed), `target = clone_path`
+    Set `remote_url = <url>` for display
+- Else if `$ARGUMENTS` is non-empty → `target = $ARGUMENTS`, `clone_path = null`
+- Else → `target = "."`, `clone_path = null`
+- Verify `.claude-plugin/plugin.json` exists at `<target>`. If not and `clone_path != null` → cleanup clone_path first, then tell user this is not a plugin directory and **STOP**. If not and local → tell user and **STOP**.
+
+## Step 1.5: Pre-extraction (remote audits only)
+
+If `clone_path != null`:
+  Get temp path: `node <plugin-root>/scanners/lib/fs-utils.mjs tmppath "plugin-extract.json"`
+  Run: `node <plugin-root>/scanners/content-extractor.mjs "<target>" --output-file "<evidence_file>"`
+  If exit code != 0 → set `evidence_file = null` (fall back to direct scan)
+
+## Step 2: Inventory
+
+Read plugin.json (name, version, auto_discover). Glob for commands, agents, hooks, skills, knowledge. Build permission matrix from all `allowed-tools` and `tools` declarations. Flag: Bash access, Bash+Write combo, Task (sub-agent spawning), opus for trivial tasks.
+
+## Step 3: Analyze Hooks
+
+If `hooks/hooks.json` exists: parse events, read scripts, classify (block/warn/modify). Flag: state modification, network calls, non-CLAUDE env vars, SessionStart hooks.
+
+## Step 4: Scan Content
+
+Spawn `subagent_type: "llm-security:skill-scanner-agent"`, `model: "sonnet"`:
+
+If `evidence_file` is set:
+> EVIDENCE-PACKAGE MODE. Read: \<evidence_file\>
+> Read: \<plugin-root\>/knowledge/skill-threat-patterns.md
+> Analyze all sections. DO NOT use Read/Glob/Grep on the target directory.
+> Check all 7 threat categories. Return findings: file, severity, OWASP ref.
+
+Otherwise:
+> Scan plugin at \<path\>: commands/*.md, agents/*.md, hooks/scripts/*, skills/*/SKILL.md, knowledge/**/*.md.
+> Read: \<plugin-root\>/knowledge/skill-threat-patterns.md
+> Check all 7 threat categories. Return findings: file, severity, OWASP ref.
+
+## Step 5: Report
+
+Output: Plugin metadata, component inventory, permission matrix, hook analysis, security findings, trust verdict.
+
+Verdict: **Install** (0 critical/high, transparent hooks) | **Review** (high findings or unclear permissions) | **Do Not Install** (critical, exfiltration, persistence, or hidden instructions).
+
+## Step 6: Cleanup (only if remote)
+
+If `clone_path != null`:
+  Run: `node <plugin-root>/scanners/lib/git-clone.mjs cleanup "<clone_path>"`
+  If cleanup fails → warn: "Could not remove temp dir <clone_path> — remove manually."