7.9 KiB
Plugin Security Audit Report
Header
| Field | Value |
|---|---|
| Plugin | [plugin name from manifest] |
| Version | [version from manifest, or "not specified"] |
| Author | [author from manifest, or "not specified"] |
| Path | [absolute or relative path to plugin root] |
| Audit date | [ISO 8601 — e.g. 2026-02-19] |
| Auditor | llm-security v[X.X] — plugin-audit |
Plugin Metadata
| Field | Value |
|---|---|
| Description | [description from manifest] |
| Auto-discover | [true / false] |
| Commands | [count] |
| Agents | [count] |
| Hook events | [count of registered events] |
| Skills | [count] |
| Knowledge files | [count] ([total lines] lines) |
| Templates | [count] |
| Total files | [count of all files in plugin directory] |
Component Inventory
Commands
| Name | Allowed Tools | Model | Flags |
|---|---|---|---|
[command name] |
[Read, Write, Bash, ...] | [sonnet/opus] | [Bash / Bash+Write / Task / none] |
Agents
| Name | Tools | Model | Flags |
|---|---|---|---|
[agent name] |
[Read, Glob, Grep, ...] | [sonnet/opus] | [Bash / Bash+Write / Task / none] |
Hooks
| Event | Matcher | Script | Behavior | Flags |
|---|---|---|---|---|
| [PreToolUse] | [Edit|Write] | [scripts/pre-edit-secrets.mjs] | [block / warn / advisory] | [state-modify / network / env-access / none] |
Skills
| Name | Reference files |
|---|---|
[skill name] |
[count] |
If no components exist for a type, write "None" and omit the table.
Permission Matrix
Aggregated tool access across all commands and agents:
| Tool | Granted to | Risk level | Justification needed |
|---|---|---|---|
| Bash | [list of commands/agents] | High | Yes — can execute arbitrary commands |
| Write | [list] | Medium | If combined with Bash |
| Task | [list] | Medium | Can spawn sub-agents with own permissions |
| Edit | [list] | Low | Modifies existing files only |
| Read | [list] | Low | Read-only access |
| Glob | [list] | Low | File discovery only |
| Grep | [list] | Low | Content search only |
Permission flags:
| Flag | Components | Assessment |
|---|---|---|
| Bash access | [list] | [Justified: hook enforcement / Unjustified: no clear need] |
| Bash + Write | [list] | [Justified / Unjustified] |
| Task spawning | [list] | [Justified: multi-agent audit / Unjustified] |
| Opus for simple tasks | [list or "none"] | [Appropriate / Over-specified] |
If all permissions are justified, write: "All tool grants are consistent with declared component purposes."
Hook Safety Analysis
Events intercepted: [comma-separated list — e.g. PreToolUse, PostToolUse, Stop]
| Category | Count | Assessment |
|---|---|---|
| Block hooks (reject operations) | [n] | [Expected for security plugins] |
| Warn hooks (advisory only) | [n] | [Low risk — informational] |
| State-modifying hooks | [n] | [Requires review — hooks should be read-only or block-only] |
| Network-calling hooks | [n] | [High concern — hooks should not phone home] |
| SessionStart hooks | [n] | [Runs every session — verify purpose] |
Script analysis summary:
- [script-name.mjs]: [1-line description of what it does and risk assessment]
If no hooks are registered, write: "No hooks registered. The plugin does not intercept any operations."
Security Findings
Findings from skill-scanner-agent, sorted Critical → High → Medium → Low → Info.
Each finding ID is formatted SCN-[NNN].
Critical
No Critical findings — omit this section if empty.
| ID | Category | File | Line | Description | OWASP Ref |
|---|---|---|---|---|---|
| SCN-001 | [Category] | [path] | [Ln] | [Description] | [LLM0X / ASI0X] |
High
No High findings — omit this section if empty.
| ID | Category | File | Line | Description | OWASP Ref |
|---|
Medium
No Medium findings — omit this section if empty.
| ID | Category | File | Line | Description | OWASP Ref |
|---|
Low / Info
| ID | Category | File | Description |
|---|
Follow same detail block format as scan-report.md for findings that need elaboration.
Trust Verdict
Verdict: [Install / Review / Do Not Install]
| Criterion | Status |
|---|---|
| Zero Critical findings | [PASS / FAIL] |
| Zero High findings | [PASS / FAIL — if FAIL, Review] |
| All hooks transparent (block/warn only) | [PASS / FAIL] |
| No state-modifying hooks | [PASS / FAIL] |
| No network-calling hooks | [PASS / FAIL] |
| Permissions justified | [PASS / FAIL] |
| No exfiltration patterns | [PASS / FAIL] |
| No persistence mechanisms | [PASS / FAIL] |
| No hidden instructions | [PASS / FAIL] |
Verdict rationale: [2-3 sentences explaining the verdict based on the criteria above.]
Recommendations:
- [If Install: "Safe to add to enabledPlugins." + any minor suggestions]
- [If Review: List specific items to investigate before installing]
- [If Do Not Install: List critical concerns and what would need to change]
Footer
| Field | Value |
|---|---|
| llm-security version | [e.g. 0.1.0] |
| Assessment engine | skill-scanner-agent (7 threat categories) |
| OWASP references | LLM Top 10 (2025), Agentic AI Top 10 |
| Components analyzed | [total count of files scanned] |
| Report generated | [ISO 8601 timestamp] |