open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/templates/unified-report.md
Kjell Tore Guttormsen 899cb5c121 fix(llm-security): template — v1 → v2 risk constants + narrative_audit block 
Updates the HTML-comment risk-formula reference at lines 55-66 from the
stale v1 sum-and-cap formula to the v2 severity-dominated tiers that
have been authoritative in scanners/lib/severity.mjs since v7.0.0. Adds
a Narrative Audit block inside the Executive Summary section surfacing
summary.narrative_audit.suppressed_findings.{count,by_category} from
the agent's trailing JSON. The block is transparency only — it does
NOT affect risk_score, riskBand, or verdict.

Part of v7.1.1 narrative-coherence patch (plan: .claude/plans/ultraplan-2026-04-29-report-coherence.md).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 12:45:28 +02:00

29 KiB
Raw Blame History

{{REPORT_TITLE}}

Header

Field Value
Report type {{ANALYSIS_TYPE}}
Target {{TARGET}}
Date {{DATE}}
Version llm-security v{{VERSION}}
Scope {{SCOPE}}
Frameworks {{FRAMEWORKS}}
Triggered by {{TRIGGER_COMMAND}}

Risk Dashboard

Metric Value
Risk Score {{RISK_SCORE}}/100
Risk Band {{RISK_BAND}}
Grade {{GRADE}}
Verdict {{VERDICT}}
Severity Count
Critical {{CRITICAL}}
High {{HIGH}}
Medium {{MEDIUM}}
Low {{LOW}}
Info {{INFO}}
Total {{TOTAL_FINDINGS}}

Verdict rationale: {{VERDICT_RATIONALE}}

Executive Summary

{{EXECUTIVE_SUMMARY}}

Narrative Audit

Suppressed signals: {{SUPPRESSED_FINDINGS_COUNT}} ({{SUPPRESSED_FINDINGS_BREAKDOWN}})

Per summary.narrative_audit.suppressed_findings. Suppressed signals are raw extractor matches (entropy, frontmatter, taint) that the agent downgraded after context evaluation (e.g., GLSL keywords, framework env-var references, animation markup, SVG inline data URIs). They do NOT appear in the Findings sections and do NOT affect risk_score or verdict. The category breakdown is for reviewer transparency only.

System Description

{{SYSTEM_DESCRIPTION}}

Overall Score

{{POSTURE_SCORE}} / {{POSTURE_APPLICABLE}} categories covered (Grade {{GRADE}})

{{PROGRESS_BAR}}

Risk Score: {{RISK_SCORE}}/100 ({{RISK_BAND}})

Verdict: {{POSTURE_VERDICT}}

Remediation Summary

[!{{VERDICT_TYPE}}] Pre-clean: {{PRE_VERDICT}} ({{PRE_RISK_SCORE}}/100, {{PRE_RISK_BAND}}) — {{PRE_TOTAL_FINDINGS}} findings Post-clean: {{POST_VERDICT}} ({{POST_RISK_SCORE}}/100, {{POST_RISK_BAND}}) — {{POST_TOTAL_FINDINGS}} findings Risk reduction: {{RISK_REDUCTION}}%

Metric Before After Delta
Risk Score {{PRE_RISK_SCORE}} {{POST_RISK_SCORE}} {{RISK_DELTA}}
Total Findings {{PRE_TOTAL_FINDINGS}} {{POST_TOTAL_FINDINGS}} {{FINDINGS_DELTA}}
Critical {{PRE_CRITICAL}} {{POST_CRITICAL}} {{CRITICAL_DELTA}}
High {{PRE_HIGH}} {{POST_HIGH}} {{HIGH_DELTA}}
Medium {{PRE_MEDIUM}} {{POST_MEDIUM}} {{MEDIUM_DELTA}}
Low {{PRE_LOW}} {{POST_LOW}} {{LOW_DELTA}}

Findings

Findings sorted Critical → High → Medium → Low → Info. Finding IDs: SCN-NNN (LLM agent) or DS-XXX-NNN (deterministic scanner).

Critical

ID Category File Line Description OWASP
{{FINDING_ROW}}

{{FINDING_ID}} Detail

  • Severity: Critical
  • Category: {{CATEGORY}}
  • File: {{FILE}}
  • Line(s): {{LINE}}
  • OWASP: {{OWASP_REF}}
  • Description: {{DESCRIPTION}}
  • Evidence: {{EVIDENCE}}
  • Remediation: {{REMEDIATION}}

High

Omit if empty.

Medium

Omit if empty.

Low / Info

Omit if empty.

OWASP Categorization

OWASP Category Findings Max Severity Scanners
LLM01 — Prompt Injection {{LLM01_COUNT}} {{LLM01_MAX}} {{LLM01_SCANNERS}}
LLM02 — Sensitive Info Disclosure {{LLM02_COUNT}} {{LLM02_MAX}} {{LLM02_SCANNERS}}
LLM03 — Supply Chain {{LLM03_COUNT}} {{LLM03_MAX}} {{LLM03_SCANNERS}}
LLM06 — Excessive Agency {{LLM06_COUNT}} {{LLM06_MAX}} {{LLM06_SCANNERS}}

Supply Chain Assessment

Component Type Source Trust Score Notes
{{SUPPLY_CHAIN_ROW}}

Source verification: {{SOURCE_VERIFICATION}}

Permissions analysis:

  • Requested tools: {{REQUESTED_TOOLS}}
  • Minimum necessary: {{MIN_TOOLS}}
  • Over-permissioned: {{OVER_PERMISSIONED}}

Supply chain risk summary: {{SUPPLY_CHAIN_SUMMARY}}

Scanner Results

1. Unicode Analysis (UNI)

Status: {{UNI_STATUS}} | Files: {{UNI_FILES}} | Findings: {{UNI_FINDINGS}} | Time: {{UNI_DURATION}}ms

{{UNI_DETAILS}}

2. Entropy Analysis (ENT)

Status: {{ENT_STATUS}} | Files: {{ENT_FILES}} | Findings: {{ENT_FINDINGS}} | Time: {{ENT_DURATION}}ms

{{ENT_DETAILS}}

3. Permission Mapping (PRM)

Status: {{PRM_STATUS}} | Files: {{PRM_FILES}} | Findings: {{PRM_FINDINGS}} | Time: {{PRM_DURATION}}ms

{{PRM_DETAILS}}

4. Dependency Audit (DEP)

Status: {{DEP_STATUS}} | Files: {{DEP_FILES}} | Findings: {{DEP_FINDINGS}} | Time: {{DEP_DURATION}}ms

{{DEP_DETAILS}}

5. Taint Tracing (TNT)

Status: {{TNT_STATUS}} | Files: {{TNT_FILES}} | Findings: {{TNT_FINDINGS}} | Time: {{TNT_DURATION}}ms

{{TNT_DETAILS}}

6. Git Forensics (GIT)

Status: {{GIT_STATUS}} | Files: {{GIT_FILES}} | Findings: {{GIT_FINDINGS}} | Time: {{GIT_DURATION}}ms

{{GIT_DETAILS}}

7. Network Mapping (NET)

Status: {{NET_STATUS}} | Files: {{NET_FILES}} | Findings: {{NET_FINDINGS}} | Time: {{NET_DURATION}}ms

{{NET_DETAILS}}

Scanner Risk Matrix

Scanner CRITICAL HIGH MEDIUM LOW INFO
Unicode (UNI) {{UNI_C}} {{UNI_H}} {{UNI_M}} {{UNI_L}} {{UNI_I}}
Entropy (ENT) {{ENT_C}} {{ENT_H}} {{ENT_M}} {{ENT_L}} {{ENT_I}}
Permission (PRM) {{PRM_C}} {{PRM_H}} {{PRM_M}} {{PRM_L}} {{PRM_I}}
Dependency (DEP) {{DEP_C}} {{DEP_H}} {{DEP_M}} {{DEP_L}} {{DEP_I}}
Taint (TNT) {{TNT_C}} {{TNT_H}} {{TNT_M}} {{TNT_L}} {{TNT_I}}
Git (GIT) {{GIT_C}} {{GIT_H}} {{GIT_M}} {{GIT_L}} {{GIT_I}}
Network (NET) {{NET_C}} {{NET_H}} {{NET_M}} {{NET_L}} {{NET_I}}
TOTAL {{CRITICAL}} {{HIGH}} {{MEDIUM}} {{LOW}} {{INFO}}

Methodology

7 deterministic Node.js scanners (zero external dependencies). Results are factual and reproducible.

Scanner Algorithm Limitations
Unicode Codepoint iteration, Tag decoding None — deterministic
Entropy Shannon H per string literal FP on knowledge files, data URIs
Permission Frontmatter parsing, cross-reference Claude Code plugins only
Dependency npm/pip audit, Levenshtein Requires package manager CLI
Taint Regex variable tracking, 3-pass ~70% recall, no AST, no cross-file
Git History analysis, reflog, diff Max 500 commits, 15s timeout
Network URL extraction, DNS resolution Max 50 DNS lookups, 3s timeout

Category Assessment

Category 1 — Deny-First Configuration

Status {{CAT1_STATUS}}

Evidence: {{CAT1_EVIDENCE}}

Recommendations: {{CAT1_RECOMMENDATIONS}}

Category 2 — Secrets Protection

Status {{CAT2_STATUS}}

Evidence: {{CAT2_EVIDENCE}}

Recommendations: {{CAT2_RECOMMENDATIONS}}

Category 3 — Path Guarding

Status {{CAT3_STATUS}}

Evidence: {{CAT3_EVIDENCE}}

Recommendations: {{CAT3_RECOMMENDATIONS}}

Category 4 — MCP Server Trust

Status {{CAT4_STATUS}}

Evidence: {{CAT4_EVIDENCE}}

Recommendations: {{CAT4_RECOMMENDATIONS}}

Category 5 — Destructive Command Blocking

Status {{CAT5_STATUS}}

Evidence: {{CAT5_EVIDENCE}}

Recommendations: {{CAT5_RECOMMENDATIONS}}

Category 6 — Sandbox Configuration

Status {{CAT6_STATUS}}

Evidence: {{CAT6_EVIDENCE}}

Recommendations: {{CAT6_RECOMMENDATIONS}}

Category 7 — Human Review Requirements

Status {{CAT7_STATUS}}

Evidence: {{CAT7_EVIDENCE}}

Recommendations: {{CAT7_RECOMMENDATIONS}}

Category 8 — Skill and Plugin Sources

Status {{CAT8_STATUS}}

Evidence: {{CAT8_EVIDENCE}}

Recommendations: {{CAT8_RECOMMENDATIONS}}

Category 9 — Session Isolation

Status {{CAT9_STATUS}}

Evidence: {{CAT9_EVIDENCE}}

Recommendations: {{CAT9_RECOMMENDATIONS}}

Risk Matrix

              LIKELIHOOD
              Low          Medium       High
         +------------+------------+------------+
  High   |            |            |            |
IMPACT   +------------+------------+------------+
  Med    |            |            |            |
         +------------+------------+------------+
  Low    |            |            |            |
         +------------+------------+------------+

Prioritized Action Plan

# Priority Action Finding Effort Risk if Deferred
{{ACTION_ROWS}}

Positive Findings

  • {{CONTROL_NAME}} — {{CONTROL_DESCRIPTION}}

Category Scorecard

# Category Status Notes
1 Deny-First Configuration {{CAT1_INDICATOR}} {{CAT1_NOTES}}
2 Secrets Protection {{CAT2_INDICATOR}} {{CAT2_NOTES}}
3 Path Guarding {{CAT3_INDICATOR}} {{CAT3_NOTES}}
4 MCP Server Trust {{CAT4_INDICATOR}} {{CAT4_NOTES}}
5 Destructive Command Blocking {{CAT5_INDICATOR}} {{CAT5_NOTES}}
6 Sandbox Configuration {{CAT6_INDICATOR}} {{CAT6_NOTES}}
7 Human Review Requirements {{CAT7_INDICATOR}} {{CAT7_NOTES}}
8 Skill and Plugin Sources {{CAT8_INDICATOR}} {{CAT8_NOTES}}
9 Session Isolation {{CAT9_INDICATOR}} {{CAT9_NOTES}}

Status indicators: COVERED / PARTIAL / GAP / N/A

Category Detail

{{CATEGORY_DETAIL}}

Quick Wins

  • {{QUICK_WIN}}

If none: "No quick wins identified — improvements require architectural changes."

Baseline Comparison

Category Fully Secured This Project
Deny-First Configuration defaultPermissionLevel: deny {{CAT1_CURRENT}}
Secrets Protection Hook active + .env gitignored + no secrets {{CAT2_CURRENT}}
Path Guarding pre-write-pathguard blocks sensitive paths {{CAT3_CURRENT}}
MCP Server Trust All verified, minimal scope, auth required {{CAT4_CURRENT}}
Destructive Command Blocking pre-bash-destructive with comprehensive patterns {{CAT5_CURRENT}}
Sandbox Configuration Network/filesystem scoped to project {{CAT6_CURRENT}}
Human Review Requirements Confirmation gates on irreversible operations {{CAT7_CURRENT}}
Skill and Plugin Sources All verified sources, minimal permissions {{CAT8_CURRENT}}
Session Isolation No cross-session leakage, minimal context {{CAT9_CURRENT}}

Gap summary: {{GAP_SUMMARY}}

Plugin Metadata

Field Value
Plugin {{PLUGIN_NAME}}
Version {{PLUGIN_VERSION}}
Author {{PLUGIN_AUTHOR}}
Path {{PLUGIN_PATH}}
Auto-discover {{AUTO_DISCOVER}}
Commands {{CMD_COUNT}}
Agents {{AGENT_COUNT}}
Hook events {{HOOK_EVENT_COUNT}}
Skills {{SKILL_COUNT}}
Knowledge files {{KB_COUNT}} ({{KB_LINES}} lines)
Templates {{TEMPLATE_COUNT}}
Total files {{TOTAL_FILE_COUNT}}

Component Inventory

Commands

Name Allowed Tools Model Flags
{{CMD_ROWS}}

Agents

Name Tools Model Flags
{{AGENT_ROWS}}

Hooks

Event Matcher Script Behavior Flags
{{HOOK_ROWS}}

Skills

Name Reference Files
{{SKILL_ROWS}}

Permission Matrix

Tool Granted to Risk Level Justification Needed
{{PERMISSION_ROWS}}

Permission flags:

Flag Components Assessment
{{FLAG_ROWS}}

Hook Safety Analysis

Events intercepted: {{HOOK_EVENTS}}

Category Count Assessment
Block hooks {{BLOCK_HOOKS}} {{BLOCK_ASSESSMENT}}
Warn hooks {{WARN_HOOKS}} {{WARN_ASSESSMENT}}
State-modifying {{STATE_HOOKS}} {{STATE_ASSESSMENT}}
Network-calling {{NET_HOOKS}} {{NET_ASSESSMENT}}
SessionStart {{SESSION_HOOKS}} {{SESSION_ASSESSMENT}}

Script analysis: {{SCRIPT_ANALYSIS}}

Trust Verdict

Verdict: {{TRUST_VERDICT}}

Criterion Status
Zero Critical findings {{CRIT_CHECK}}
Zero High findings {{HIGH_CHECK}}
All hooks transparent {{HOOK_CHECK}}
No state-modifying hooks {{STATE_CHECK}}
No network-calling hooks {{NET_CHECK}}
Permissions justified {{PERM_CHECK}}
No exfiltration patterns {{EXFIL_CHECK}}
No persistence mechanisms {{PERSIST_CHECK}}
No hidden instructions {{HIDDEN_CHECK}}

Verdict rationale: {{TRUST_RATIONALE}}

MCP Landscape Summary

Server Source Transport Trust Rating Critical High Medium Low
{{MCP_LANDSCAPE_ROWS}}

Overall MCP Risk: {{MCP_RISK}}

Per-Server Analysis

Server: {{SERVER_NAME}}

Field Value
Transport {{TRANSPORT}}
Command/URL {{SERVER_CMD}}
Source {{SERVER_SOURCE}}
Trust Rating {{TRUST_RATING}}

Findings:

# Severity Category Description OWASP
{{SERVER_FINDING_ROWS}}

Evidence:

{{SERVER_EVIDENCE}}

Recommendations: {{SERVER_RECOMMENDATIONS}}

Overall MCP Risk Assessment

Risk Rating: {{MCP_RISK}}

Criterion Description
Low All servers Trusted/Cautious, no High+ findings
Medium Cautious servers with High findings
High Untrusted servers present
Critical Any Dangerous server

MCP Recommendations

Keep

{{MCP_KEEP}}

Review

{{MCP_REVIEW}}

Remove

{{MCP_REMOVE}}

Architecture Overview

{{ARCHITECTURE_DIAGRAM}}

MAESTRO Layer Mapping

Layer Components Present Attack Surface Rating
L1 Foundation Models {{L1_COMPONENTS}} {{L1_RATING}}
L2 Data and Knowledge {{L2_COMPONENTS}} {{L2_RATING}}
L3 Agent Frameworks {{L3_COMPONENTS}} {{L3_RATING}}
L4 Tool Integration {{L4_COMPONENTS}} {{L4_RATING}}
L5 Agent Capabilities {{L5_COMPONENTS}} {{L5_RATING}}
L6 Multi-Agent Systems {{L6_COMPONENTS}} {{L6_RATING}}
L7 Ecosystem {{L7_COMPONENTS}} {{L7_RATING}}

Threat Catalog

Layer {{LAYER_NUM}} — {{LAYER_NAME}}

Threat {{THREAT_ID}}: {{THREAT_TITLE}}

Field Value
STRIDE {{STRIDE_CAT}}
OWASP {{THREAT_OWASP}}
Likelihood {{LIKELIHOOD}} — {{LIKELIHOOD_RATIONALE}}
Impact {{IMPACT}} — {{IMPACT_RATIONALE}}
Risk Score {{THREAT_RISK_SCORE}} — {{THREAT_PRIORITY}}
Wild Exploitation {{WILD_STATUS}}

Attack scenario: {{ATTACK_SCENARIO}}

Current control status: {{CONTROL_STATUS}}

Recommendation: {{THREAT_RECOMMENDATION}}

Threat Risk Matrix

Threat Layer STRIDE OWASP Score Priority
{{THREAT_MATRIX_ROWS}}

Mitigation Plan

Critical and High Priority Actions

# Threat Action Control Type Effort
{{MITIGATION_ROWS}}

Already Mitigated

Threat Control Evidence
{{MITIGATED_ROWS}}

Accepted Risks

Threat Rationale Owner
{{ACCEPTED_ROWS}}

Residual Risk Summary

{{RESIDUAL_RISK_SUMMARY}}

Coverage: {{THREAT_COUNT}} threats across {{LAYER_COUNT}} MAESTRO layers. Critical: {{THREAT_CRIT}} | High: {{THREAT_HIGH}} | Medium: {{THREAT_MED}} | Low: {{THREAT_LOW}}

Automated Checks

Passed: {{PASS_COUNT}}/10

{{CHECK_PROGRESS_BAR}}
# Check Status Detail
1 Deny-first permissions {{CHK1_STATUS}} {{CHK1_DETAIL}}
2 Secrets hook active {{CHK2_STATUS}} {{CHK2_DETAIL}}
3 Path guard active {{CHK3_STATUS}} {{CHK3_DETAIL}}
4 Destructive command guard {{CHK4_STATUS}} {{CHK4_DETAIL}}
5 MCP servers verified {{CHK5_STATUS}} {{CHK5_DETAIL}}
6 No hardcoded secrets {{CHK6_STATUS}} {{CHK6_DETAIL}}
7 .gitignore covers secrets {{CHK7_STATUS}} {{CHK7_DETAIL}}
8 CLAUDE.md security docs {{CHK8_STATUS}} {{CHK8_DETAIL}}
9 Sandbox enabled {{CHK9_STATUS}} {{CHK9_DETAIL}}
10 Audit logging configured {{CHK10_STATUS}} {{CHK10_DETAIL}}

Manual Verification

  • Enterprise plan: {{ENTERPRISE_ANSWER}}
  • DPIA completed: {{DPIA_ANSWER}}
  • Incident response plan: {{IRP_ANSWER}}

Deploy Verdict

{{DEPLOY_VERDICT}} ({{DEPLOY_RISK_BAND}})

Pass Count Risk Band Verdict
10/10 Low Ready for deployment
8-9/10 Medium Nearly ready
6-7/10 High Significant gaps
4-5/10 Critical Not ready
0-3/10 Extreme Deployment blocked

Fix Summary

Category Count
Auto-fixes applied {{AUTO_APPLIED}}
Semi-auto approved {{SEMI_APPROVED}}
Semi-auto skipped {{SEMI_SKIPPED}}
LLM auto-fixes {{LLM_AUTO_APPLIED}}
LLM semi-auto approved {{LLM_SEMI_APPROVED}}
Manual (reported only) {{MANUAL_COUNT}}
Skipped (historical) {{HISTORICAL_COUNT}}
Failed {{FAILED_COUNT}}
Total processed {{TOTAL_PROCESSED}}

Auto-Fixes Applied

Finding ID File Operation Description
{{AUTO_FIXES_ROWS}}

Semi-Auto Fixes Applied

Finding ID File Change Description Rationale
{{SEMI_AUTO_APPLIED_ROWS}}

Semi-Auto Fixes Skipped

Finding ID Proposed Change User Decision
{{SEMI_AUTO_SKIPPED_ROWS}}

Remaining Manual Findings

Finding ID Severity File Description Recommendation
{{MANUAL_FINDINGS_ROWS}}

Skipped (Historical)

Finding ID Severity Commit Description
{{HISTORICAL_ROWS}}

Validation Results

File Check Result Detail
{{VALIDATION_ROWS}}

File Modification Log

File Path Operations Validation
{{FILE_MOD_ROWS}}

Rollback

To restore the original (pre-clean) state:

rm -rf {{TARGET}}
mv {{BACKUP_PATH}} {{TARGET}}

The backup will be removed when you next run /security clean on this target.

Recommendations

Priority Finding ID(s) Action Effort
{{RECOMMENDATION_ROWS}}

Quick wins (< 5 min): {{QUICK_WINS_LIST}}

Footer

Field Value
llm-security version {{VERSION}}
Assessment engine {{ENGINE}}
OWASP references LLM Top 10 (2025), Agentic AI Top 10
Report generated {{TIMESTAMP}}

Generated by llm-security v{{VERSION}}