64 lines
3.1 KiB
Markdown
64 lines
3.1 KiB
Markdown
---
|
|
name: security:plugin-audit
|
|
description: Audit a Claude Code plugin for security risks, permission analysis, and trust assessment before installation
|
|
allowed-tools: Read, Glob, Grep, Bash, Agent
|
|
model: sonnet
|
|
---
|
|
|
|
# /security plugin-audit [path|url]
|
|
|
|
Audit a Claude Code plugin for security before installation. Accepts local paths or GitHub URLs.
|
|
|
|
## Step 1: Resolve Target
|
|
|
|
- If `$ARGUMENTS` contains `--branch <name>` → strip it, set `branch = <name>`
|
|
- If `$ARGUMENTS` starts with `https://github.com/` or `git@github.com:` →
|
|
Run: `node <plugin-root>/scanners/lib/git-clone.mjs clone "<url>" [--branch <branch>]`
|
|
If exit code != 0 → show error to user and **STOP**
|
|
Set `clone_path` = stdout (trimmed), `target = clone_path`
|
|
Set `remote_url = <url>` for display
|
|
- Else if `$ARGUMENTS` is non-empty → `target = $ARGUMENTS`, `clone_path = null`
|
|
- Else → `target = "."`, `clone_path = null`
|
|
- Verify `.claude-plugin/plugin.json` exists at `<target>`. If not and `clone_path != null` → cleanup clone_path first, then tell user this is not a plugin directory and **STOP**. If not and local → tell user and **STOP**.
|
|
|
|
## Step 1.5: Pre-extraction (remote audits only)
|
|
|
|
If `clone_path != null`:
|
|
Get temp path: `node <plugin-root>/scanners/lib/fs-utils.mjs tmppath "plugin-extract.json"`
|
|
Run: `node <plugin-root>/scanners/content-extractor.mjs "<target>" --output-file "<evidence_file>"`
|
|
If exit code != 0 → set `evidence_file = null` (fall back to direct scan)
|
|
|
|
## Step 2: Inventory
|
|
|
|
Read plugin.json (name, version, auto_discover). Glob for commands, agents, hooks, skills, knowledge. Build permission matrix from all `allowed-tools` and `tools` declarations. Flag: Bash access, Bash+Write combo, Task (sub-agent spawning), opus for trivial tasks.
|
|
|
|
## Step 3: Analyze Hooks
|
|
|
|
If `hooks/hooks.json` exists: parse events, read scripts, classify (block/warn/modify). Flag: state modification, network calls, non-CLAUDE env vars, SessionStart hooks.
|
|
|
|
## Step 4: Scan Content
|
|
|
|
Spawn `subagent_type: "llm-security:skill-scanner-agent"`, `model: "sonnet"`:
|
|
|
|
If `evidence_file` is set:
|
|
> EVIDENCE-PACKAGE MODE. Read: \<evidence_file\>
|
|
> Read: \<plugin-root\>/knowledge/skill-threat-patterns.md
|
|
> Analyze all sections. DO NOT use Read/Glob/Grep on the target directory.
|
|
> Check all 7 threat categories. Return findings: file, severity, OWASP ref.
|
|
|
|
Otherwise:
|
|
> Scan plugin at \<path\>: commands/*.md, agents/*.md, hooks/scripts/*, skills/*/SKILL.md, knowledge/**/*.md.
|
|
> Read: \<plugin-root\>/knowledge/skill-threat-patterns.md
|
|
> Check all 7 threat categories. Return findings: file, severity, OWASP ref.
|
|
|
|
## Step 5: Report
|
|
|
|
Output: Plugin metadata, component inventory, permission matrix, hook analysis, security findings, trust verdict.
|
|
|
|
Verdict: **Install** (0 critical/high, transparent hooks) | **Review** (high findings or unclear permissions) | **Do Not Install** (critical, exfiltration, persistence, or hidden instructions).
|
|
|
|
## Step 6: Cleanup (only if remote)
|
|
|
|
If `clone_path != null`:
|
|
Run: `node <plugin-root>/scanners/lib/git-clone.mjs cleanup "<clone_path>"`
|
|
If cleanup fails → warn: "Could not remove temp dir <clone_path> — remove manually."
|