open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

feat: initial open marketplace with llm-security, config-audit, ultraplan-local

Browse source
This commit is contained in:
Kjell Tore Guttormsen 2026-04-06 18:47:49 +02:00
commit f93d6abdae
380 changed files with 65935 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

82
plugins/llm-security/examples/malicious-skill-demo/README.md Normal file
View file

@ -0,0 +1,82 @@
# Malicious Skill Demo
> **WARNING: This is a security test fixture, NOT a real plugin.**
> All "malicious" patterns are intentionally planted for scanner testing.
## What Is This?
A fake Claude Code plugin called "Project Health Dashboard" that **looks legitimate** but contains security threats across every category the LLM Security plugin can detect. It serves as:
1. **Showcase** — demonstrates what the 7 deterministic scanners + 5 LLM agents can find
2. **Regression test** — verifiable fixture for scanner development
3. **Educational resource** — real attack patterns in a safe, contained context
## Embedded Threat Categories
| Scanner | Threats | Files |
|---------|---------|-------|
| **UNI** (Unicode) | Zero-width chars, Unicode Tags steganography, BIDI overrides, Cyrillic homoglyphs | SKILL.fixture.md, health-check-agent.fixture.md |
| **ENT** (Entropy) | Base64-encoded payloads, high-entropy credentials | SKILL.fixture.md, telemetry.mjs |
| **PRM** (Permissions) | Purpose-vs-tools mismatch, ghost hooks, haiku on sensitive agent, overprivileged | health.fixture.md, health-check-agent.fixture.md, hooks.fixture.json |
| **DEP** (Dependencies) | 6 typosquatting packages, malicious install scripts, unpinned versions | package.json |
| **TNT** (Taint) | 6 source-to-sink data flows (env→fetch, req.body→exec, input→eval) | telemetry.mjs |
| **GIT** (Forensics) | (Minimal — new directory, no git history) | — |
| **NET** (Network) | ngrok, webhook.site, requestbin, pipedream, pastebin, bit.ly, IP-based URLs | SKILL.fixture.md, telemetry.mjs, health.fixture.md |
### LLM Agent Detection (Skill Scanner)
All 7 threat categories from the skill-scanner-agent are represented in SKILL.md:
1. **Prompt Injection** — HTML comments with `<!-- AGENT: ... -->`, spoofed `# SYSTEM:` headers
2. **Data Exfiltration**`printenv | base64`, `curl -X POST` to external endpoints
3. **Privilege Escalation** — instructions to modify hooks/ and settings.json
4. **Scope Creep** — reads from ~/.ssh/, ~/.aws/, ~/.npmrc
5. **Hidden Instructions** — Unicode Tags steganography, base64-encoded commands, invisible lines
6. **Toolchain Manipulation** — typosquatting package installs in prerequisites
7. **Persistence** — crontab, ~/.zshrc modification, LaunchAgent creation
## How to Run
### Quick: Deterministic Scanners Only
```bash
cd plugins/llm-security
./examples/malicious-skill-demo/run-demo.sh
```
Or directly:
```bash
node scanners/scan-orchestrator.mjs examples/malicious-skill-demo/evil-project-health/
```
**Expected:** BLOCK verdict, ~59 findings, all active scanners reporting.
### Full: LLM-Enhanced Deep Scan
```
/security scan examples/malicious-skill-demo/evil-project-health/ --deep
```
This runs both the deterministic scanners AND the LLM agents (skill-scanner, mcp-scanner).
## Safety
- No actual secrets, tokens, or credentials are in these files
- No real malicious code is executable — URLs are fake/non-functional
- The package.json typosquatting packages don't exist or are harmless names
- Install scripts reference non-existent domains
- Discoverable files use `.fixture.{md,json}` suffix to prevent Claude Code's plugin loader from picking them up during recursive tree-walking
## Security Assessment
A full combined security assessment (LLM skill scanner + 7 deterministic scanners) is available at **[security-assessment.md](security-assessment.md)**. This is real scanner output, not just expected findings:
- **85 total findings** (24 Critical, 24 High, 20 Medium, 6 Low, 11 Info)
- **Verdict: BLOCK 100/100** — both scanning layers independently maxed the risk score
- **All 8 scanners active** (1 LLM + 7 deterministic)
- Includes executive summary, per-scanner breakdown, combined verdict, recommendations, and methodology
## Expected Findings
See [expected-findings.md](expected-findings.md) for the deterministic scanner catalog of ~50 expected findings with scanner, severity, file, and description.