--- name: security:plugin-audit description: Audit a Claude Code plugin for security risks, permission analysis, and trust assessment before installation allowed-tools: Read, Glob, Grep, Bash, Agent model: sonnet --- # /security plugin-audit [path|url] Audit a Claude Code plugin for security before installation. Accepts local paths or GitHub URLs. ## Step 1: Resolve Target - If `$ARGUMENTS` contains `--branch ` → strip it, set `branch = ` - If `$ARGUMENTS` starts with `https://github.com/` or `git@github.com:` → Run: `node /scanners/lib/git-clone.mjs clone "" [--branch ]` If exit code != 0 → show error to user and **STOP** Set `clone_path` = stdout (trimmed), `target = clone_path` Set `remote_url = ` for display - Else if `$ARGUMENTS` is non-empty → `target = $ARGUMENTS`, `clone_path = null` - Else → `target = "."`, `clone_path = null` - Verify `.claude-plugin/plugin.json` exists at ``. If not and `clone_path != null` → cleanup clone_path first, then tell user this is not a plugin directory and **STOP**. If not and local → tell user and **STOP**. ## Step 1.5: Pre-extraction (remote audits only) If `clone_path != null`: Get temp path: `node /scanners/lib/fs-utils.mjs tmppath "plugin-extract.json"` Run: `node /scanners/content-extractor.mjs "" --output-file ""` If exit code != 0 → set `evidence_file = null` (fall back to direct scan) ## Step 2: Inventory Read plugin.json (name, version, auto_discover). Glob for commands, agents, hooks, skills, knowledge. Build permission matrix from all `allowed-tools` and `tools` declarations. Flag: Bash access, Bash+Write combo, Task (sub-agent spawning), opus for trivial tasks. ## Step 3: Analyze Hooks If `hooks/hooks.json` exists: parse events, read scripts, classify (block/warn/modify). Flag: state modification, network calls, non-CLAUDE env vars, SessionStart hooks. ## Step 4: Scan Content Spawn `subagent_type: "llm-security:skill-scanner-agent"`, `model: "sonnet"`: If `evidence_file` is set: > EVIDENCE-PACKAGE MODE. Read: \ > Read: \/knowledge/skill-threat-patterns.md > Analyze all sections. DO NOT use Read/Glob/Grep on the target directory. > Check all 7 threat categories. Return findings: file, severity, OWASP ref. Otherwise: > Scan plugin at \: commands/*.md, agents/*.md, hooks/scripts/*, skills/*/SKILL.md, knowledge/**/*.md. > Read: \/knowledge/skill-threat-patterns.md > Check all 7 threat categories. Return findings: file, severity, OWASP ref. ## Step 5: Report Output: Plugin metadata, component inventory, permission matrix, hook analysis, security findings, trust verdict. Verdict: **Install** (0 critical/high, transparent hooks) | **Review** (high findings or unclear permissions) | **Do Not Install** (critical, exfiltration, persistence, or hidden instructions). ## Step 6: Cleanup (only if remote) If `clone_path != null`: Run: `node /scanners/lib/git-clone.mjs cleanup ""` If cleanup fails → warn: "Could not remove temp dir — remove manually."