open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/V3-ANNOUNCEMENT.md

6.7 KiB
Raw Blame History

LLM Security Plugin v3.0.0 — Release Notes

Security scanning, auditing, and threat modeling for Claude Code.

What's New in v3

Eight development sessions (v2.5 -> v3.0) adding six major capabilities:

Capability What It Does
Toxic flow analysis Detects lethal trifecta patterns — when combinations of individually safe tools create exfiltration chains (untrusted input + sensitive data access + exfiltration sink)
Runtime session guard Monitors tool call sequences in real time for trifecta forming during a session. Sliding window of 20 calls, advisory warning
MCP live inspection Connects to running MCP servers via JSON-RPC 2.0, fetches live tool descriptions, scans for injection and tool shadowing
Report diffing Compares scans against stored baselines. Shows new, resolved, unchanged, and moved findings with fuzzy line matching
Continuous scanning Recurring scans via /security watch (in-session) or watch-cron.mjs (system cron). Reports delta only
Skill signature registry SHA-256 fingerprinting of scanned skills. Instant results for known fingerprints, 7-day cache

Plus: 4 OWASP framework coverage (LLM Top 10, Agentic AI, Skills, MCP), MEDIUM-severity injection patterns, architecture diagram.

By the Numbers

v1.0 v2.0 v3.0
Commands 8 10 14
Hooks 4 5 8
Scanners 0 7 10 (8 orchestrated + 2 standalone)
Agents 4 4 6
Knowledge files 6 6 9
Tests 0 177 544
OWASP frameworks 2 2 4
Lines of code ~3,000 ~8,000 ~25,400

Competitive Landscape

Feature Comparison

Feature llm-security v3 Snyk Agent Scan Lasso Claude Hooks
Type Plugin (hooks + scanners + agents) CLI scanner Runtime hook
Runtime blocking 5 blocking hooks No Warn-only
Runtime monitoring 3 advisory hooks No 1 advisory hook (96 patterns)
Deterministic scanners 10 (8 orchestrated + 2 standalone) Hybrid (local + cloud API) None
LLM agents 6 purpose-built Cloud-side analysis None
MCP scanning Static + live (JSON-RPC 2.0) Live connection Output monitoring only
Skills scanning 7 threat categories Yes (--skills flag) No
Toxic flow analysis Yes (TFA scanner + session guard) Yes No
Supply chain 7 package managers + OSV.dev + typosquat Partial (URL detection) No
Prompt injection 44 patterns + obfuscation decode Semantic (cloud) 96 regex patterns
Secret detection 13 patterns (blocking) Yes (hardcoded only) No
Path guarding 8 categories (blocking) No No
Destructive command blocking 8 block + 6 warn rules No No
Report diffing Yes (baselines, fuzzy match) No No
Continuous scanning Yes (watch + cron) Enterprise only (Snyk Evo) Always-on (hooks)
Skill registry Yes (fingerprint cache) No No
Remediation Auto/semi-auto/manual pipeline No No
Threat modeling STRIDE x MAESTRO interview No No
Audit & posture Full audit (A-F) + posture scorecard No No
Pre-deploy checklist 10 auto + 3 manual checks No No
OWASP mapping 4 frameworks (LLM, ASI, AST, MCP) Not explicit Not explicit
Agent auto-discovery No (Claude Code focus) 12 agents, 3 OS No
Cloud dependency None (100% local) Snyk API required None
API key required No Yes (Snyk token) No
Cost Free (MIT) Snyk account Free (MIT)
Tests 544 Not published Not published

Key Differentiators

  1. Full lifecycle coverage. The only tool offering hooks (runtime) + scanners (static) + agents (advisory) + remediation + threat modeling in a single package. Snyk scans but doesn't block. Lasso blocks but doesn't scan.

  2. 100% local, zero cloud dependency. All analysis runs on the user's machine. No API keys, no telemetry, no data leaves the environment. Snyk requires a cloud API for semantic analysis.

  3. Pre-extraction defense. When scanning untrusted remote repos, structured evidence is extracted and injection patterns stripped BEFORE LLM agents see the content. No other tool does this.

  4. Supply chain depth. Covers 7 package managers (npm/yarn/pnpm, pip/pip3/uv, brew, docker, go, cargo, gem) with OSV.dev CVE checks, Levenshtein typosquatting, age-gating (<72h packages), and npm audit integration. Snyk has URL detection. Lasso has none.

  5. Remediation pipeline. Three-tier approach: deterministic auto-fix, LLM-generated proposals with user confirmation, and manual findings in report. Neither Snyk nor Lasso offer remediation.

  6. Cross-scanner correlation. Toxic flow analyzer consumes output from all prior scanners to detect lethal trifecta patterns that no single scanner would flag. Runtime session guard does the same in real time.

Complementary Usage

These tools are not mutually exclusive:

  • llm-security + Lasso: Both hook systems run sequentially. Lasso adds 96 PostToolUse patterns focused on indirect injection; llm-security adds pre-tool blocking and broader coverage. No conflicts.
  • llm-security + Snyk: Snyk's cloud-side semantic analysis and 12-agent auto-discovery complement the local deterministic scanning. Use both for maximum coverage.
  • llm-security + parry-guard: ML-based injection classification (DeBERTa/Llama Guard) catches novel phrasings that regex patterns miss. Different layers, no overlap.

Demo Scenario

Scanning an untrusted plugin before installation

# 1. Quick scan — is this safe to install?
/security scan https://github.com/example/cool-plugin --deep

# Result: BLOCK 72/100
# - 3 CRITICAL: prompt injection in skill instructions
# - 2 HIGH: typosquatting packages (lodsh, axois)
# - 1 HIGH: toxic flow — Read(~/.ssh) -> Bash(curl)
# - 4 MEDIUM: undisclosed outbound URLs

# 2. Want to see what changed since last scan?
/security diff path/to/project

# Result: 2 NEW findings, 1 RESOLVED, 12 UNCHANGED

# 3. Set up continuous monitoring
/security watch path/to/project --interval 6h

# Reports delta every 6 hours via /loop

Installation

git clone https://git.fromaitochitta.com/open/claude-code-llm-security.git \
  ~/.claude/plugins/claude-code-llm-security

Hooks activate immediately. No configuration required.

Links