---
name: security-clean
description: Scan and remediate security findings — auto-fixes deterministic issues, confirms semi-auto with user, reports manual findings
---

# Security Clean

Scan, classify, and remediate security findings with user confirmation.

## Step 1: Parse Arguments

- Target path = `$ARGUMENTS` or current working directory
- `--dry-run` flag = report only, no changes

## Step 2: Create Backup

```bash
node <plugin-root>/scanners/lib/fs-utils.mjs backup "<target>"
```

## Step 3: Run Scan

```bash
node <plugin-root>/scanners/lib/fs-utils.mjs tmppath clean-findings.json
node <plugin-root>/scanners/scan-orchestrator.mjs "<target>" --output-file "<findings_file>"
```

Show banner with verdict, risk score, finding counts.

## Step 4: Auto-fix Deterministic Issues

```bash
node <plugin-root>/scanners/auto-cleaner.mjs "<target>" --findings "<findings_file>" [--dry-run]
```

Report: Applied, Skipped, Failed counts.

## Step 5: Semi-auto Remediation

For findings classified as semi-auto (entropy strings, permission mismatches, typosquatted deps, ghost hooks, suspicious URLs, credential access, hidden MCP directives, homoglyphs):

1. Read the referenced files and understand the surrounding context
2. Propose specific, minimal changes grouped by fix type
3. Present each proposal to the user for confirmation before applying
4. Apply confirmed changes via Edit tool

## Step 6: LLM Threat Scan

Read `<plugin-root>/knowledge/skill-threat-patterns.md`. Scan modified files for remaining threats. Report manual findings that require human judgment.

## Step 7: Validate and Report

Re-scan to verify fixes didn't introduce new issues. If validation fails, offer to restore from backup:
```bash
node <plugin-root>/scanners/lib/fs-utils.mjs restore "<target>"
```

Final report: pre/post comparison, fix summaries, remaining manual findings, rollback instructions.