ktg-plugin-marketplace

History

Kjell Tore Guttormsen b0f1a9abfd fix(memory-poisoning): E15 — add .claude/agents/.md to target glob Critical-review §4 E15 finding: agent files in .claude/agents/ are loaded as Claude Code subagent system prompts and are a direct memory-poisoning surface. Pre-v7.2.0 the scanner covered CLAUDE.md, .claude/rules/.md, memory/.md, REMEMBER.md, .local.md, and .claude-plugin/plugin.json — but not .claude/agents/.md. Single-line addition to MEMORY_FILE_PATTERNS: /(?:^\|\/)\.claude\/agents\/[^/]+\.md$/ The existing scan loop, scanForInjection integration, and severity- mapping logic all apply unchanged. STRICT_FILES_PATTERN intentionally NOT extended — agents may legitimately quote shell commands as examples (consistent with CLAUDE.md treatment). Tests: +3 cases in tests/scanners/memory-poisoning.test.mjs: - "scans .claude/agents/*.md" (smoke test — at least one finding from the new fixture) - "agent file injection pattern detected" - "agent file credential path detected" New fixture: tests/fixtures/memory-scan/poisoned-project/.claude/agents/ poisoned-agent.md — agent with injection, credential ref, permission expansion, and exfil URL. Triggers all 4 detection categories. Suite: 1591 → 1594 (+3). All green.	2026-04-29 14:13:01 +02:00
..
clean-project	feat: initial open marketplace with llm-security, config-audit, ultraplan-local	2026-04-06 18:47:49 +02:00
poisoned-project	fix(memory-poisoning): E15 — add .claude/agents/*.md to target glob	2026-04-29 14:13:01 +02:00

Kjell Tore Guttormsen b0f1a9abfd fix(memory-poisoning): E15 — add .claude/agents/*.md to target glob

Critical-review §4 E15 finding: agent files in .claude/agents/ are loaded
as Claude Code subagent system prompts and are a direct memory-poisoning
surface. Pre-v7.2.0 the scanner covered CLAUDE.md, .claude/rules/*.md,
memory/*.md, REMEMBER.md, .local.md, and .claude-plugin/plugin.json —
but not .claude/agents/*.md.

Single-line addition to MEMORY_FILE_PATTERNS:
  /(?:^|\/)\.claude\/agents\/[^/]+\.md$/

The existing scan loop, scanForInjection integration, and severity-
mapping logic all apply unchanged. STRICT_FILES_PATTERN intentionally
NOT extended — agents may legitimately quote shell commands as examples
(consistent with CLAUDE.md treatment).

Tests: +3 cases in tests/scanners/memory-poisoning.test.mjs:
- "scans .claude/agents/*.md" (smoke test — at least one finding from
  the new fixture)
- "agent file injection pattern detected"
- "agent file credential path detected"

New fixture: tests/fixtures/memory-scan/poisoned-project/.claude/agents/
poisoned-agent.md — agent with injection, credential ref, permission
expansion, and exfil URL. Triggers all 4 detection categories.

Suite: 1591 → 1594 (+3). All green.

2026-04-29 14:13:01 +02:00

clean-project

feat: initial open marketplace with llm-security, config-audit, ultraplan-local

2026-04-06 18:47:49 +02:00

poisoned-project

fix(memory-poisoning): E15 — add .claude/agents/*.md to target glob

2026-04-29 14:13:01 +02:00