Kjell Tore Guttormsen
92fb0087fa
Single-component lethal-trifecta walkthrough that drives scanners/toxic-flow-analyzer.mjs against a deliberately misconfigured fixture plugin. The fixture agent declares tools: [Bash, Read, WebFetch], which alone covers all three trifecta legs (input surface + data access + exfil sink). No hooks/hooks.json is shipped, so TFA's mitigation logic finds no active guards and emits a CRITICAL "Lethal trifecta:" finding without downgrade. Plugin marker is plugin.fixture.json (recognised by isPlugin()) rather than .claude-plugin/plugin.json — the latter is blocked by the plugin's own pre-write-pathguard hook, and plugin.fixture.json exists in isPlugin() specifically so example fixtures can self-mark without touching guarded paths. Three independent assertions (3/3 must pass): direct trifecta present and CRITICAL; finding mentions the exfil-helper component; description confirms "no hook guards detected" (proves the mitigation path stayed inactive). expected-findings.md documents the contract. OWASP / framework mapping: ASI01, ASI02, ASI05, LLM01, LLM02, LLM06. Docs updated: plugin README "Other runnable examples", plugin CLAUDE.md "Examples" tabellen, CHANGELOG [Unreleased] Added. [skip-docs] is appropriate because examples don't change what the plugin "synes å dekke utad" — marketplace root README is unaffected. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
6 lines
431 B
JSON
6 lines
431 B
JSON
{
|
|
"_comment": "Sentinel file. toxic-flow-analyzer.isPlugin() recognises plugin.fixture.json as a plugin marker so example fixtures don't have to ship a real .claude-plugin/plugin.json (which is path-guarded by pre-write-pathguard.mjs).",
|
|
"name": "toxic-demo",
|
|
"version": "0.0.0",
|
|
"description": "Deliberately misconfigured plugin used by examples/toxic-agent-demo to drive the toxic-flow analyzer. Not for installation."
|
|
}
|