1.8 KiB
| name | description | allowed-tools | model |
|---|---|---|---|
| security:audit | Full project security audit with OWASP LLM Top 10 assessment, scoring, and remediation plan | Read, Glob, Grep, Bash, Agent | sonnet |
/security audit
Full security audit — 10 categories, OWASP LLM Top 10 aligned, A-F grade.
Step 1: Run Posture Scanner
Run the deterministic posture scanner first for instant category results:
node <this plugin's scanners/posture-scanner.mjs> [cwd]
Parse JSON output. Record: grade, risk score, all category statuses, all findings.
Step 2: Gather Context
- Read
CLAUDE.mdfor project name and type - Glob for:
commands/*.md,agents/*.md,.mcp.json,**/.mcp.json,.claude-plugin/plugin.json - Determine: has skills/commands? has MCP servers?
Step 3: Skill Scan (if commands/agents found)
Spawn subagent_type: "llm-security:skill-scanner-agent", model: "sonnet":
Scan all commands/ and agents/ at [cwd]. Read: <plugin-root>/knowledge/skill-threat-patterns.md Return findings: file, issue, severity, OWASP ref.
Step 4: MCP Scan (if MCP servers found)
After skill scan, spawn subagent_type: "llm-security:mcp-scanner-agent", model: "sonnet":
Audit MCP configs at [cwd]. Read: <plugin-root>/knowledge/mcp-threat-patterns.md Return trust table and findings with severity.
Step 5: Generate Report
Merge posture scanner JSON + agent findings. Use the posture scanner's grade as the baseline.
Recalculate risk_score = min(100, critical*25 + high*10 + medium*4 + low*1) including agent findings.
Output: Risk Dashboard, Executive Summary, 10 Category Sections (use scanner evidence + agent narrative), Summary Table, Action Items (IMMEDIATE → HIGH → MEDIUM).
Close with top 2-3 action items. If grade C or lower: suggest /security threat-model.