# Security Scan Report --- ## Header | Field | Value | |-------|-------| | **Report type** | scan | | **Target** | ~/repos/example-app | | **Date** | 2026-05-05 | | **Version** | llm-security v7.4.0 | | **Scope** | skill scan + MCP scan | | **Frameworks** | OWASP LLM Top 10, OWASP MCP | | **Triggered by** | /security scan | --- ## Risk Dashboard | Metric | Value | |--------|-------| | **Risk Score** | 72/100 | | **Risk Band** | Critical | | **Grade** | D | | **Verdict** | BLOCK | | Severity | Count | |----------|------:| | Critical | 2 | | High | 4 | | Medium | 7 | | Low | 3 | | Info | 5 | | **Total** | **21** | **Verdict rationale:** 2 critical findings (hardcoded API key + lethal trifecta in agent definition) cross the BLOCK threshold. High-severity prompt-injection vector in tool description compounds the risk. --- ## Executive Summary Scan found 21 issues across 7 files in the `commands/` and `agents/` directories. Two critical findings require immediate remediation before this plugin is shipped: a hardcoded API key in `agents/data-analyst.md` (line 47) and a lethal trifecta agent (`agents/web-helper.md`) with `[Bash, Read, WebFetch]` and no hook guards. The four high-severity findings concentrate on prompt-injection patterns in MCP tool descriptions. ### Narrative Audit **Suppressed signals:** 3 (entropy: 2 GLSL fragments, frontmatter: 1 framework env-var reference) --- ## Findings Findings sorted Critical → High → Medium → Low → Info. ### Critical | ID | Category | File | Line | Description | OWASP | |----|----------|------|------|-------------|-------| | SCN-001 | Secrets | agents/data-analyst.md | 47 | Hardcoded API key (sk-prod-...) | LLM02 | | SCN-002 | Excessive Agency | agents/web-helper.md | 3 | Lethal trifecta: [Bash, Read, WebFetch] without hook guards | ASI01, LLM06 | ### High | ID | Category | File | Line | Description | OWASP | |----|----------|------|------|-------------|-------| | SCN-003 | Injection | commands/research.md | 22 | Prompt-injection vector in user-input interpolation | LLM01 | | SCN-004 | MCP Trust | .mcp.json | 12 | MCP server description contains hidden imperative | MCP05 | | SCN-005 | Output Handling | agents/notes.md | 89 | Markdown link-title injection sink | LLM01 | | SCN-006 | Permissions | .claude/settings.json | 5 | Wildcard `Bash(*)` permission grant | ASI04 | ### Medium | ID | Category | File | Line | Description | OWASP | |----|----------|------|------|-------------|-------| | SCN-007 | Supply Chain | package.json | 15 | Dependency `lefthook@1.4.2` flagged by OSV.dev | LLM03 | | SCN-008 | Output Handling | agents/notes.md | 102 | HTML comment node passes through unvalidated | LLM01 | | SCN-009 | Other | CLAUDE.md | 34 | Memory-poisoning pattern: encoded base64 imperative | LLM06 | | SCN-010 | Injection | commands/summarize.md | 14 | Indirect injection via WebFetch result | LLM01 | | SCN-011 | Permissions | agents/test-runner.md | 5 | Tool list includes `Edit` without rationale | ASI04 | | SCN-012 | MCP Trust | .mcp.json | 28 | Per-update drift on `airbnb-mcp` tool description (12.3%) | MCP05 | | SCN-013 | Other | scripts/setup.sh | 3 | curl|sh pattern in install hint | LLM03 | ### Low | ID | Category | File | Line | Description | OWASP | |----|----------|------|------|-------------|-------| | SCN-014 | Other | README.md | 88 | Suspicious URL pattern in example | — | | SCN-015 | Other | docs/setup.md | 21 | Outdated security advisory link | — | | SCN-016 | Other | tests/fixtures/poisoned.md | 1 | Test fixture flagged (likely intentional) | — | ### Info | ID | Category | File | Line | Description | OWASP | |----|----------|------|------|-------------|-------| | SCN-017 | Other | .gitignore | — | No `.env*` exclusion rule | — | | SCN-018 | Other | LICENSE | — | License missing | — | | SCN-019 | Other | CHANGELOG.md | — | No CHANGELOG present | — | | SCN-020 | Other | SECURITY.md | — | No SECURITY.md disclosure policy | — | | SCN-021 | Other | CONTRIBUTING.md | — | No CONTRIBUTING guidelines | — | --- ## OWASP Categorization | OWASP Category | Findings | Max Severity | Scanners | |----------------|----------|-------------|----------| | LLM01 — Prompt Injection | 4 | High | skill-scanner, post-mcp-verify | | LLM02 — Sensitive Info Disclosure | 1 | Critical | secrets | | LLM03 — Supply Chain | 2 | Medium | dep-audit | | LLM06 — Excessive Agency | 2 | Critical | toxic-flow, memory | | MCP05 — Tool Description Drift | 2 | High | mcp-cache | | ASI01 — Lethal Trifecta | 1 | Critical | toxic-flow | | ASI04 — Permission Sprawl | 2 | High | permission | --- ## Supply Chain Assessment | Component | Type | Source | Trust Score | Notes | |-----------|------|--------|-------------|-------| | lefthook | npm | registry | 6/10 | OSV-2024-1234 (medium) | | typescript | npm | registry | 9/10 | clean | | @airbnb/mcp-server | npm | registry | 7/10 | per-update drift detected | **Source verification:** registry-only, no Git/private deps detected. **Permissions analysis:** - Requested tools: Bash, Read, Write, Edit, WebFetch, Task - Minimum necessary: Read, Bash - Over-permissioned: Write, Edit, WebFetch, Task **Supply chain risk summary:** One medium-severity CVE on a build-tool dependency. Recommend bumping `lefthook` to 1.5.0+. --- ## Recommendations 1. **Immediate:** Rotate `sk-prod-...` API key and remove from `agents/data-analyst.md`. Replace with environment-variable reference. 2. **Immediate:** Rewrite `agents/web-helper.md` to drop one of `[Bash, Read, WebFetch]` OR add a hook policy that blocks the trifecta. 3. **High:** Update MCP server description in `.mcp.json` (line 12) and run `/security mcp-baseline-reset` after legitimate update. 4. **High:** Replace `Bash(*)` with explicit allowlist in `.claude/settings.json`. 5. **Medium:** Bump `lefthook` to 1.5.0+ to clear OSV-2024-1234. Run `/security clean .` to auto-fix deterministic issues. Re-scan after fixes to confirm BLOCK → WARNING → ALLOW progression. --- *Scan complete. 21 findings across 7 files, 12.4 seconds.*