Kjell Tore Guttormsen
ce3891bdd0
Single-file SPA playground har nå parser + renderer for alle 18 produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8 gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch, registry, clean, threat-model). 18 markdown test-fixtures fungerer som kontrakt-anker for parser-utvikling. Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"- paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean) og matrix-risk (threat-model). Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS / CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy med åpne vilkår) ikke kollapser til ALLOW. Eksponert 11 window-globaler for testing/automasjon (__store, __navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG, __inferVerdict, __inferKeyStats, __renderPageShell, __handlePasteImport, __scheduleRender). 12 Playwright-genererte screenshots i playground/screenshots/v7.5.0/. A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer flagget for v7.5.x patch (skip-link, heading-hierarki på project, aria-live toast). Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json, CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION- konstanter, ROADMAP, marketplace-rot README). Ingen scanner- eller hook-behavior-changes — purely additive surface. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
144 lines
4.4 KiB
Markdown
144 lines
4.4 KiB
Markdown
# Plugin-Audit — airbnb-mcp-plugin
|
|
|
|
---
|
|
|
|
## Header
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **Report type** | plugin-audit |
|
|
| **Target** | https://github.com/airbnb-example/airbnb-mcp-plugin |
|
|
| **Date** | 2026-05-05 |
|
|
| **Version** | llm-security v7.4.0 |
|
|
| **Scope** | plugin trust assessment |
|
|
| **Frameworks** | OWASP MCP, OWASP LLM Top 10 |
|
|
| **Triggered by** | /security plugin-audit |
|
|
|
|
---
|
|
|
|
## Risk Dashboard
|
|
|
|
| Metric | Value |
|
|
|--------|-------|
|
|
| **Risk Score** | 41/100 |
|
|
| **Risk Band** | High |
|
|
| **Grade** | C |
|
|
| **Verdict** | WARNING |
|
|
|
|
| Severity | Count |
|
|
|----------|------:|
|
|
| Critical | 0 |
|
|
| High | 3 |
|
|
| Medium | 5 |
|
|
| Low | 4 |
|
|
| Info | 2 |
|
|
| **Total** | **14** |
|
|
|
|
**Verdict rationale:** Plugin requests broad permissions (Bash, Write, WebFetch) with limited justification. No critical findings, but trust verdict downgrades to WARNING pending clarification.
|
|
|
|
---
|
|
|
|
## Executive Summary
|
|
|
|
Third-party Claude Code plugin distributed via GitHub. Implements 4 MCP tools (search, book, cancel, list-reservations). Plugin has clear maintainer (verified GitHub identity, 87 commits over 2.3 years). Three high-severity findings concern broad tool permissions and one MCP tool description that includes hidden imperative ("when called, also fetch X").
|
|
|
|
---
|
|
|
|
## Plugin Metadata
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **Name** | airbnb-mcp-plugin |
|
|
| **Version** | 1.4.2 |
|
|
| **Author** | airbnb-example (verified) |
|
|
| **License** | MIT |
|
|
| **Source** | https://github.com/airbnb-example/airbnb-mcp-plugin |
|
|
| **First commit** | 2024-01-15 |
|
|
| **Last commit** | 2026-04-22 |
|
|
| **Commits** | 87 |
|
|
| **Stars** | 247 |
|
|
|
|
---
|
|
|
|
## Component Inventory
|
|
|
|
| Component | Count | Notes |
|
|
|-----------|------:|-------|
|
|
| Commands | 3 | book.md, cancel.md, list.md |
|
|
| Agents | 1 | search-agent.md |
|
|
| MCP Servers | 1 | airbnb-mcp (4 tools) |
|
|
| Hooks | 0 | (none) |
|
|
| Skills | 0 | (none) |
|
|
|
|
---
|
|
|
|
## Permission Matrix
|
|
|
|
| Tool | Required by | Justified |
|
|
|------|-------------|-----------|
|
|
| Read | search-agent | Yes — needs to read user filters |
|
|
| WebFetch | search-agent | Yes — Airbnb API |
|
|
| Bash | book.md | Partial — only used for date math |
|
|
| Write | search-agent | No — appears unused |
|
|
| Edit | (none) | — |
|
|
|
|
---
|
|
|
|
## Hook Safety
|
|
|
|
No hooks defined. Plugin operates entirely through MCP tools and agent definitions. No PreToolUse/PostToolUse mechanisms to verify.
|
|
|
|
---
|
|
|
|
## Trust Verdict
|
|
|
|
**Verdict:** WARNING — install with caution
|
|
|
|
**Rationale:**
|
|
- Maintainer is verifiable (GitHub identity, history)
|
|
- License is MIT (permissive, OK)
|
|
- Permission grant is broader than necessary (Write tool unused)
|
|
- One MCP tool description (`book`) contains an implicit instruction outside its declared purpose
|
|
|
|
**Recommended action:** Open issue with maintainer requesting (a) drop unused `Write` permission, (b) clarify `book` tool description. Re-audit after maintainer response.
|
|
|
|
---
|
|
|
|
## Findings
|
|
|
|
### High
|
|
|
|
| ID | Category | File | Line | Description | OWASP |
|
|
|----|----------|------|------|-------------|-------|
|
|
| PA-001 | Permissions | search-agent.md | 5 | Tool list includes `Write` with no apparent use | ASI04 |
|
|
| PA-002 | MCP Trust | mcp-tools/book.json | 14 | Description has hidden imperative outside scope | MCP05 |
|
|
| PA-003 | Permissions | book.md | 8 | Bash permission not minimized to specific commands | ASI04 |
|
|
|
|
### Medium
|
|
|
|
| ID | Category | File | Line | Description | OWASP |
|
|
|----|----------|------|------|-------------|-------|
|
|
| PA-004 | Supply Chain | package.json | 12 | Dependency `@airbnb/utils@2.1.0` outdated | LLM03 |
|
|
| PA-005 | Output Handling | search-agent.md | 34 | API response inserted as markdown without sanitization | LLM01 |
|
|
| PA-006 | Other | README.md | — | No security disclosure policy | — |
|
|
| PA-007 | Other | CHANGELOG.md | — | Last 3 releases lack security notes | — |
|
|
| PA-008 | Permissions | .claude/settings.json | 5 | Settings file commits hooks=null (acceptable) | — |
|
|
|
|
### Low
|
|
|
|
(4 low + 2 info findings — see envelope JSON for full list)
|
|
|
|
---
|
|
|
|
## Recommendations
|
|
|
|
1. **High:** Open issue with maintainer about `Write` permission removal.
|
|
2. **High:** Request clarification of `book` tool description.
|
|
3. **Medium:** Bump `@airbnb/utils` to current.
|
|
4. **Medium:** Add SECURITY.md.
|
|
|
|
If maintainer response is satisfactory: re-audit. If install is urgent: deploy with MCP volume monitoring (`/security mcp-inspect`) for 7 days.
|
|
|
|
---
|
|
|
|
*Plugin-audit complete. 14 findings, trust verdict WARNING.*
|