# Plugin Security Audit Report --- ## Header | Field | Value | |-------|-------| | **Plugin** | [plugin name from manifest] | | **Version** | [version from manifest, or "not specified"] | | **Author** | [author from manifest, or "not specified"] | | **Path** | [absolute or relative path to plugin root] | | **Audit date** | [ISO 8601 — e.g. 2026-02-19] | | **Auditor** | llm-security v[X.X] — plugin-audit | --- ## Plugin Metadata | Field | Value | |-------|-------| | **Description** | [description from manifest] | | **Auto-discover** | [true / false] | | **Commands** | [count] | | **Agents** | [count] | | **Hook events** | [count of registered events] | | **Skills** | [count] | | **Knowledge files** | [count] ([total lines] lines) | | **Templates** | [count] | | **Total files** | [count of all files in plugin directory] | --- ## Component Inventory ### Commands | Name | Allowed Tools | Model | Flags | |------|---------------|-------|-------| | `[command name]` | [Read, Write, Bash, ...] | [sonnet/opus] | [Bash / Bash+Write / Task / none] | ### Agents | Name | Tools | Model | Flags | |------|-------|-------|-------| | `[agent name]` | [Read, Glob, Grep, ...] | [sonnet/opus] | [Bash / Bash+Write / Task / none] | ### Hooks | Event | Matcher | Script | Behavior | Flags | |-------|---------|--------|----------|-------| | [PreToolUse] | [Edit\|Write] | [scripts/pre-edit-secrets.mjs] | [block / warn / advisory] | [state-modify / network / env-access / none] | ### Skills | Name | Reference files | |------|----------------| | `[skill name]` | [count] | > If no components exist for a type, write "None" and omit the table. --- ## Permission Matrix Aggregated tool access across all commands and agents: | Tool | Granted to | Risk level | Justification needed | |------|-----------|------------|---------------------| | **Bash** | [list of commands/agents] | High | Yes — can execute arbitrary commands | | **Write** | [list] | Medium | If combined with Bash | | **Task** | [list] | Medium | Can spawn sub-agents with own permissions | | **Edit** | [list] | Low | Modifies existing files only | | **Read** | [list] | Low | Read-only access | | **Glob** | [list] | Low | File discovery only | | **Grep** | [list] | Low | Content search only | **Permission flags:** | Flag | Components | Assessment | |------|-----------|------------| | Bash access | [list] | [Justified: hook enforcement / Unjustified: no clear need] | | Bash + Write | [list] | [Justified / Unjustified] | | Task spawning | [list] | [Justified: multi-agent audit / Unjustified] | | Opus for simple tasks | [list or "none"] | [Appropriate / Over-specified] | > If all permissions are justified, write: "All tool grants are consistent with declared component purposes." --- ## Hook Safety Analysis **Events intercepted:** [comma-separated list — e.g. PreToolUse, PostToolUse, Stop] | Category | Count | Assessment | |----------|-------|------------| | Block hooks (reject operations) | [n] | [Expected for security plugins] | | Warn hooks (advisory only) | [n] | [Low risk — informational] | | State-modifying hooks | [n] | [Requires review — hooks should be read-only or block-only] | | Network-calling hooks | [n] | [High concern — hooks should not phone home] | | SessionStart hooks | [n] | [Runs every session — verify purpose] | **Script analysis summary:** - [script-name.mjs]: [1-line description of what it does and risk assessment] > If no hooks are registered, write: "No hooks registered. The plugin does not intercept any operations." --- ## Security Findings Findings from skill-scanner-agent, sorted Critical → High → Medium → Low → Info. Each finding ID is formatted `SCN-[NNN]`. ### Critical > No Critical findings — omit this section if empty. | ID | Category | File | Line | Description | OWASP Ref | |----|----------|------|------|-------------|-----------| | SCN-001 | [Category] | [path] | [Ln] | [Description] | [LLM0X / ASI0X] | ### High > No High findings — omit this section if empty. | ID | Category | File | Line | Description | OWASP Ref | |----|----------|------|------|-------------|-----------| ### Medium > No Medium findings — omit this section if empty. | ID | Category | File | Line | Description | OWASP Ref | |----|----------|------|------|-------------|-----------| ### Low / Info | ID | Category | File | Description | |----|----------|------|-------------| > Follow same detail block format as scan-report.md for findings that need elaboration. --- ## Trust Verdict **Verdict: [Install / Review / Do Not Install]** | Criterion | Status | |-----------|--------| | Zero Critical findings | [PASS / FAIL] | | Zero High findings | [PASS / FAIL — if FAIL, Review] | | All hooks transparent (block/warn only) | [PASS / FAIL] | | No state-modifying hooks | [PASS / FAIL] | | No network-calling hooks | [PASS / FAIL] | | Permissions justified | [PASS / FAIL] | | No exfiltration patterns | [PASS / FAIL] | | No persistence mechanisms | [PASS / FAIL] | | No hidden instructions | [PASS / FAIL] | **Verdict rationale:** [2-3 sentences explaining the verdict based on the criteria above.] **Recommendations:** - [If Install: "Safe to add to enabledPlugins." + any minor suggestions] - [If Review: List specific items to investigate before installing] - [If Do Not Install: List critical concerns and what would need to change] --- ## Footer | Field | Value | |-------|-------| | llm-security version | [e.g. 0.1.0] | | Assessment engine | skill-scanner-agent (7 threat categories) | | OWASP references | LLM Top 10 (2025), Agentic AI Top 10 | | Components analyzed | [total count of files scanned] | | Report generated | [ISO 8601 timestamp] | ---