Kjell Tore Guttormsen
ce3891bdd0
Single-file SPA playground har nå parser + renderer for alle 18 produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8 gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch, registry, clean, threat-model). 18 markdown test-fixtures fungerer som kontrakt-anker for parser-utvikling. Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"- paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean) og matrix-risk (threat-model). Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS / CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy med åpne vilkår) ikke kollapser til ALLOW. Eksponert 11 window-globaler for testing/automasjon (__store, __navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG, __inferVerdict, __inferKeyStats, __renderPageShell, __handlePasteImport, __scheduleRender). 12 Playwright-genererte screenshots i playground/screenshots/v7.5.0/. A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer flagget for v7.5.x patch (skip-link, heading-hierarki på project, aria-live toast). Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json, CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION- konstanter, ROADMAP, marketplace-rot README). Ingen scanner- eller hook-behavior-changes — purely additive surface. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
6 KiB
6 KiB
Security Scan Report
Header
| Field | Value |
|---|---|
| Report type | scan |
| Target | ~/repos/example-app |
| Date | 2026-05-05 |
| Version | llm-security v7.4.0 |
| Scope | skill scan + MCP scan |
| Frameworks | OWASP LLM Top 10, OWASP MCP |
| Triggered by | /security scan |
Risk Dashboard
| Metric | Value |
|---|---|
| Risk Score | 72/100 |
| Risk Band | Critical |
| Grade | D |
| Verdict | BLOCK |
| Severity | Count |
|---|---|
| Critical | 2 |
| High | 4 |
| Medium | 7 |
| Low | 3 |
| Info | 5 |
| Total | 21 |
Verdict rationale: 2 critical findings (hardcoded API key + lethal trifecta in agent definition) cross the BLOCK threshold. High-severity prompt-injection vector in tool description compounds the risk.
Executive Summary
Scan found 21 issues across 7 files in the commands/ and agents/ directories. Two critical findings require immediate remediation before this plugin is shipped: a hardcoded API key in agents/data-analyst.md (line 47) and a lethal trifecta agent (agents/web-helper.md) with [Bash, Read, WebFetch] and no hook guards. The four high-severity findings concentrate on prompt-injection patterns in MCP tool descriptions.
Narrative Audit
Suppressed signals: 3 (entropy: 2 GLSL fragments, frontmatter: 1 framework env-var reference)
Findings
Findings sorted Critical → High → Medium → Low → Info.
Critical
| ID | Category | File | Line | Description | OWASP |
|---|---|---|---|---|---|
| SCN-001 | Secrets | agents/data-analyst.md | 47 | Hardcoded API key (sk-prod-...) | LLM02 |
| SCN-002 | Excessive Agency | agents/web-helper.md | 3 | Lethal trifecta: [Bash, Read, WebFetch] without hook guards | ASI01, LLM06 |
High
| ID | Category | File | Line | Description | OWASP |
|---|---|---|---|---|---|
| SCN-003 | Injection | commands/research.md | 22 | Prompt-injection vector in user-input interpolation | LLM01 |
| SCN-004 | MCP Trust | .mcp.json | 12 | MCP server description contains hidden imperative | MCP05 |
| SCN-005 | Output Handling | agents/notes.md | 89 | Markdown link-title injection sink | LLM01 |
| SCN-006 | Permissions | .claude/settings.json | 5 | Wildcard Bash(*) permission grant |
ASI04 |
Medium
| ID | Category | File | Line | Description | OWASP |
|---|---|---|---|---|---|
| SCN-007 | Supply Chain | package.json | 15 | Dependency lefthook@1.4.2 flagged by OSV.dev |
LLM03 |
| SCN-008 | Output Handling | agents/notes.md | 102 | HTML comment node passes through unvalidated | LLM01 |
| SCN-009 | Other | CLAUDE.md | 34 | Memory-poisoning pattern: encoded base64 imperative | LLM06 |
| SCN-010 | Injection | commands/summarize.md | 14 | Indirect injection via WebFetch result | LLM01 |
| SCN-011 | Permissions | agents/test-runner.md | 5 | Tool list includes Edit without rationale |
ASI04 |
| SCN-012 | MCP Trust | .mcp.json | 28 | Per-update drift on airbnb-mcp tool description (12.3%) |
MCP05 |
| SCN-013 | Other | scripts/setup.sh | 3 | curl | sh pattern in install hint |
Low
| ID | Category | File | Line | Description | OWASP |
|---|---|---|---|---|---|
| SCN-014 | Other | README.md | 88 | Suspicious URL pattern in example | — |
| SCN-015 | Other | docs/setup.md | 21 | Outdated security advisory link | — |
| SCN-016 | Other | tests/fixtures/poisoned.md | 1 | Test fixture flagged (likely intentional) | — |
Info
| ID | Category | File | Line | Description | OWASP |
|---|---|---|---|---|---|
| SCN-017 | Other | .gitignore | — | No .env* exclusion rule |
— |
| SCN-018 | Other | LICENSE | — | License missing | — |
| SCN-019 | Other | CHANGELOG.md | — | No CHANGELOG present | — |
| SCN-020 | Other | SECURITY.md | — | No SECURITY.md disclosure policy | — |
| SCN-021 | Other | CONTRIBUTING.md | — | No CONTRIBUTING guidelines | — |
OWASP Categorization
| OWASP Category | Findings | Max Severity | Scanners |
|---|---|---|---|
| LLM01 — Prompt Injection | 4 | High | skill-scanner, post-mcp-verify |
| LLM02 — Sensitive Info Disclosure | 1 | Critical | secrets |
| LLM03 — Supply Chain | 2 | Medium | dep-audit |
| LLM06 — Excessive Agency | 2 | Critical | toxic-flow, memory |
| MCP05 — Tool Description Drift | 2 | High | mcp-cache |
| ASI01 — Lethal Trifecta | 1 | Critical | toxic-flow |
| ASI04 — Permission Sprawl | 2 | High | permission |
Supply Chain Assessment
| Component | Type | Source | Trust Score | Notes |
|---|---|---|---|---|
| lefthook | npm | registry | 6/10 | OSV-2024-1234 (medium) |
| typescript | npm | registry | 9/10 | clean |
| @airbnb/mcp-server | npm | registry | 7/10 | per-update drift detected |
Source verification: registry-only, no Git/private deps detected.
Permissions analysis:
- Requested tools: Bash, Read, Write, Edit, WebFetch, Task
- Minimum necessary: Read, Bash
- Over-permissioned: Write, Edit, WebFetch, Task
Supply chain risk summary: One medium-severity CVE on a build-tool dependency. Recommend bumping lefthook to 1.5.0+.
Recommendations
- Immediate: Rotate
sk-prod-...API key and remove fromagents/data-analyst.md. Replace with environment-variable reference. - Immediate: Rewrite
agents/web-helper.mdto drop one of[Bash, Read, WebFetch]OR add a hook policy that blocks the trifecta. - High: Update MCP server description in
.mcp.json(line 12) and run/security mcp-baseline-resetafter legitimate update. - High: Replace
Bash(*)with explicit allowlist in.claude/settings.json. - Medium: Bump
lefthookto 1.5.0+ to clear OSV-2024-1234.
Run /security clean . to auto-fix deterministic issues. Re-scan after fixes to confirm BLOCK → WARNING → ALLOW progression.
Scan complete. 21 findings across 7 files, 12.4 seconds.