open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/playground/test-fixtures/scan.md
Kjell Tore Guttormsen ce3891bdd0 feat(llm-security): playground Fase 3 — v7.5.0 med 18 parsere/renderere 
Single-file SPA playground har nå parser + renderer for alle 18
produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8
gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch,
registry, clean, threat-model). 18 markdown test-fixtures fungerer
som kontrakt-anker for parser-utvikling.

Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter
ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"-
paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean)
og matrix-risk (threat-model).

Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS /
CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy
med åpne vilkår) ikke kollapser til ALLOW.

Eksponert 11 window-globaler for testing/automasjon (__store,
__navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG,
__inferVerdict, __inferKeyStats, __renderPageShell,
__handlePasteImport, __scheduleRender). 12 Playwright-genererte
screenshots i playground/screenshots/v7.5.0/.

A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer
flagget for v7.5.x patch (skip-link, heading-hierarki på project,
aria-live toast).

Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json,
CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION-
konstanter, ROADMAP, marketplace-rot README).

Ingen scanner- eller hook-behavior-changes — purely additive surface.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 22:15:47 +02:00

148 lines
6 KiB
Markdown
Raw Blame History

# Security Scan Report
---
## Header
| Field | Value |
|-------|-------|
| **Report type** | scan |
| **Target** | ~/repos/example-app |
| **Date** | 2026-05-05 |
| **Version** | llm-security v7.4.0 |
| **Scope** | skill scan + MCP scan |
| **Frameworks** | OWASP LLM Top 10, OWASP MCP |
| **Triggered by** | /security scan |
---
## Risk Dashboard
| Metric | Value |
|--------|-------|
| **Risk Score** | 72/100 |
| **Risk Band** | Critical |
| **Grade** | D |
| **Verdict** | BLOCK |
| Severity | Count |
|----------|------:|
| Critical | 2 |
| High | 4 |
| Medium | 7 |
| Low | 3 |
| Info | 5 |
| **Total** | **21** |
**Verdict rationale:** 2 critical findings (hardcoded API key + lethal trifecta in agent definition) cross the BLOCK threshold. High-severity prompt-injection vector in tool description compounds the risk.
---
## Executive Summary
Scan found 21 issues across 7 files in the `commands/` and `agents/` directories. Two critical findings require immediate remediation before this plugin is shipped: a hardcoded API key in `agents/data-analyst.md` (line 47) and a lethal trifecta agent (`agents/web-helper.md`) with `[Bash, Read, WebFetch]` and no hook guards. The four high-severity findings concentrate on prompt-injection patterns in MCP tool descriptions.
### Narrative Audit
**Suppressed signals:** 3 (entropy: 2 GLSL fragments, frontmatter: 1 framework env-var reference)
---
## Findings
Findings sorted Critical → High → Medium → Low → Info.
### Critical
| ID | Category | File | Line | Description | OWASP |
|----|----------|------|------|-------------|-------|
| SCN-001 | Secrets | agents/data-analyst.md | 47 | Hardcoded API key (sk-prod-...) | LLM02 |
| SCN-002 | Excessive Agency | agents/web-helper.md | 3 | Lethal trifecta: [Bash, Read, WebFetch] without hook guards | ASI01, LLM06 |
### High
| ID | Category | File | Line | Description | OWASP |
|----|----------|------|------|-------------|-------|
| SCN-003 | Injection | commands/research.md | 22 | Prompt-injection vector in user-input interpolation | LLM01 |
| SCN-004 | MCP Trust | .mcp.json | 12 | MCP server description contains hidden imperative | MCP05 |
| SCN-005 | Output Handling | agents/notes.md | 89 | Markdown link-title injection sink | LLM01 |
| SCN-006 | Permissions | .claude/settings.json | 5 | Wildcard `Bash(*)` permission grant | ASI04 |
### Medium
| ID | Category | File | Line | Description | OWASP |
|----|----------|------|------|-------------|-------|
| SCN-007 | Supply Chain | package.json | 15 | Dependency `lefthook@1.4.2` flagged by OSV.dev | LLM03 |
| SCN-008 | Output Handling | agents/notes.md | 102 | HTML comment node passes through unvalidated | LLM01 |
| SCN-009 | Other | CLAUDE.md | 34 | Memory-poisoning pattern: encoded base64 imperative | LLM06 |
| SCN-010 | Injection | commands/summarize.md | 14 | Indirect injection via WebFetch result | LLM01 |
| SCN-011 | Permissions | agents/test-runner.md | 5 | Tool list includes `Edit` without rationale | ASI04 |
| SCN-012 | MCP Trust | .mcp.json | 28 | Per-update drift on `airbnb-mcp` tool description (12.3%) | MCP05 |
| SCN-013 | Other | scripts/setup.sh | 3 | curl|sh pattern in install hint | LLM03 |
### Low
| ID | Category | File | Line | Description | OWASP |
|----|----------|------|------|-------------|-------|
| SCN-014 | Other | README.md | 88 | Suspicious URL pattern in example | — |
| SCN-015 | Other | docs/setup.md | 21 | Outdated security advisory link | — |
| SCN-016 | Other | tests/fixtures/poisoned.md | 1 | Test fixture flagged (likely intentional) | — |
### Info
| ID | Category | File | Line | Description | OWASP |
|----|----------|------|------|-------------|-------|
| SCN-017 | Other | .gitignore | — | No `.env*` exclusion rule | — |
| SCN-018 | Other | LICENSE | — | License missing | — |
| SCN-019 | Other | CHANGELOG.md | — | No CHANGELOG present | — |
| SCN-020 | Other | SECURITY.md | — | No SECURITY.md disclosure policy | — |
| SCN-021 | Other | CONTRIBUTING.md | — | No CONTRIBUTING guidelines | — |
---
## OWASP Categorization
| OWASP Category | Findings | Max Severity | Scanners |
|----------------|----------|-------------|----------|
| LLM01 — Prompt Injection | 4 | High | skill-scanner, post-mcp-verify |
| LLM02 — Sensitive Info Disclosure | 1 | Critical | secrets |
| LLM03 — Supply Chain | 2 | Medium | dep-audit |
| LLM06 — Excessive Agency | 2 | Critical | toxic-flow, memory |
| MCP05 — Tool Description Drift | 2 | High | mcp-cache |
| ASI01 — Lethal Trifecta | 1 | Critical | toxic-flow |
| ASI04 — Permission Sprawl | 2 | High | permission |
---
## Supply Chain Assessment
| Component | Type | Source | Trust Score | Notes |
|-----------|------|--------|-------------|-------|
| lefthook | npm | registry | 6/10 | OSV-2024-1234 (medium) |
| typescript | npm | registry | 9/10 | clean |
| @airbnb/mcp-server | npm | registry | 7/10 | per-update drift detected |
**Source verification:** registry-only, no Git/private deps detected.
**Permissions analysis:**
- Requested tools: Bash, Read, Write, Edit, WebFetch, Task
- Minimum necessary: Read, Bash
- Over-permissioned: Write, Edit, WebFetch, Task
**Supply chain risk summary:** One medium-severity CVE on a build-tool dependency. Recommend bumping `lefthook` to 1.5.0+.
---
## Recommendations
1. **Immediate:** Rotate `sk-prod-...` API key and remove from `agents/data-analyst.md`. Replace with environment-variable reference.
2. **Immediate:** Rewrite `agents/web-helper.md` to drop one of `[Bash, Read, WebFetch]` OR add a hook policy that blocks the trifecta.
3. **High:** Update MCP server description in `.mcp.json` (line 12) and run `/security mcp-baseline-reset` after legitimate update.
4. **High:** Replace `Bash(*)` with explicit allowlist in `.claude/settings.json`.
5. **Medium:** Bump `lefthook` to 1.5.0+ to clear OSV-2024-1234.
Run `/security clean .` to auto-fix deterministic issues. Re-scan after fixes to confirm BLOCK → WARNING → ALLOW progression.
---
*Scan complete. 21 findings across 7 files, 12.4 seconds.*
Reference in a new issue View git blame Copy permalink