Add /ultraresearch-local for structured research combining local codebase analysis with external knowledge via parallel agent swarms. Produces research briefs with triangulation, confidence ratings, and source quality assessment. New command: /ultraresearch-local with modes --quick, --local, --external, --fg. New agents: research-orchestrator (opus), docs-researcher, community-researcher, security-researcher, contrarian-researcher, gemini-bridge (all sonnet). New template: research-brief-template.md. Integration: --research flag in /ultraplan-local accepts pre-built research briefs (up to 3), enriches the interview and exploration phases. Planning orchestrator cross-references brief findings during synthesis. Design principle: Context Engineering — right information to right agent at right time. Research briefs are structured artifacts in the pipeline: ultraresearch → brief → ultraplan --research → plan → ultraexecute. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
180 lines
5.9 KiB
Markdown
180 lines
5.9 KiB
Markdown
# Deep Scan Report — {{TARGET}}
|
|
|
|
**Date:** {{TIMESTAMP}}
|
|
**Node.js:** {{NODE_VERSION}}
|
|
**Duration:** {{TOTAL_DURATION_MS}}ms
|
|
|
|
---
|
|
|
|
## Verdict: {{VERDICT}}
|
|
|
|
**Risk Score:** {{RISK_SCORE}}/100
|
|
**Total Findings:** {{TOTAL_FINDINGS}} ({{CRITICAL}}C {{HIGH}}H {{MEDIUM}}M {{LOW}}L {{INFO}}I)
|
|
**Scanners:** {{SCANNERS_OK}} ok, {{SCANNERS_ERROR}} error, {{SCANNERS_SKIPPED}} skipped
|
|
|
|
### Verdict Logic
|
|
|
|
| Condition | Threshold | Result |
|
|
|-----------|-----------|--------|
|
|
| Any CRITICAL or >=3 HIGH | Hard block | **BLOCK** |
|
|
| Any HIGH or >=5 MEDIUM | Review required | **WARNING** |
|
|
| Otherwise | Clean | **ALLOW** |
|
|
|
|
---
|
|
|
|
## Executive Summary
|
|
|
|
<!-- Synthesizer agent: Write 3-5 sentences summarizing the key security posture.
|
|
Focus on: what types of issues dominate, which scanners found the most,
|
|
whether findings suggest intentional malice vs. poor hygiene. -->
|
|
|
|
{{EXECUTIVE_SUMMARY}}
|
|
|
|
---
|
|
|
|
## Scanner Results
|
|
|
|
### 1. Unicode Analysis (UNI)
|
|
|
|
**Status:** {{UNI_STATUS}} | **Files:** {{UNI_FILES}} | **Findings:** {{UNI_FINDINGS}} | **Time:** {{UNI_DURATION}}ms
|
|
|
|
Detects hidden Unicode characters used for prompt injection and code obfuscation:
|
|
zero-width chars, Unicode Tag steganography, BIDI overrides (Trojan Source), homoglyphs.
|
|
|
|
<!-- List UNI findings here, grouped by severity -->
|
|
|
|
{{UNI_DETAILS}}
|
|
|
|
### 2. Entropy Analysis (ENT)
|
|
|
|
**Status:** {{ENT_STATUS}} | **Files:** {{ENT_FILES}} | **Findings:** {{ENT_FINDINGS}} | **Time:** {{ENT_DURATION}}ms
|
|
|
|
Detects encoded payloads via Shannon entropy: base64 blobs, hex-encoded data,
|
|
encrypted content, hardcoded secrets with high randomness.
|
|
|
|
<!-- List ENT findings here. Note: high false-positive rate on knowledge files is expected. -->
|
|
|
|
{{ENT_DETAILS}}
|
|
|
|
### 3. Permission Mapping (PRM)
|
|
|
|
**Status:** {{PRM_STATUS}} | **Files:** {{PRM_FILES}} | **Findings:** {{PRM_FINDINGS}} | **Time:** {{PRM_DURATION}}ms
|
|
|
|
Claude Code plugin analysis: purpose-vs-tools mismatches, dangerous tool combinations,
|
|
ghost hooks, haiku on sensitive agents, overprivileged components.
|
|
|
|
<!-- List PRM findings here -->
|
|
|
|
{{PRM_DETAILS}}
|
|
|
|
### 4. Dependency Audit (DEP)
|
|
|
|
**Status:** {{DEP_STATUS}} | **Files:** {{DEP_FILES}} | **Findings:** {{DEP_FINDINGS}} | **Time:** {{DEP_DURATION}}ms
|
|
|
|
CVE detection (npm/pip audit), typosquatting (Levenshtein vs top packages),
|
|
malicious install scripts, unpinned versions.
|
|
|
|
<!-- List DEP findings here, or note "skipped" if no package manager files -->
|
|
|
|
{{DEP_DETAILS}}
|
|
|
|
### 5. Taint Tracing (TNT)
|
|
|
|
**Status:** {{TNT_STATUS}} | **Files:** {{TNT_FILES}} | **Findings:** {{TNT_FINDINGS}} | **Time:** {{TNT_DURATION}}ms
|
|
|
|
Data flow analysis from untrusted sources (env vars, request bodies, tool input)
|
|
to dangerous sinks (eval, exec, fetch, writeFile). Regex-based, ~70% recall.
|
|
|
|
<!-- List TNT findings here -->
|
|
|
|
{{TNT_DETAILS}}
|
|
|
|
### 6. Git Forensics (GIT)
|
|
|
|
**Status:** {{GIT_STATUS}} | **Files:** {{GIT_FILES}} | **Findings:** {{GIT_FINDINGS}} | **Time:** {{GIT_DURATION}}ms
|
|
|
|
Supply chain rug pull signals: force pushes, description drift, hook modifications,
|
|
new outbound URLs, author changes, binary additions, suspicious commit patterns.
|
|
|
|
<!-- List GIT findings here, or note "skipped" if not a git repo -->
|
|
|
|
{{GIT_DETAILS}}
|
|
|
|
### 7. Network Mapping (NET)
|
|
|
|
**Status:** {{NET_STATUS}} | **Files:** {{NET_FILES}} | **Findings:** {{NET_FINDINGS}} | **Time:** {{NET_DURATION}}ms
|
|
|
|
Outbound URL discovery and classification: trusted (allow-listed), suspicious
|
|
(exfiltration endpoints, tunneling services), IP-based, unknown domains.
|
|
|
|
<!-- List NET findings here -->
|
|
|
|
{{NET_DETAILS}}
|
|
|
|
---
|
|
|
|
## Risk Matrix
|
|
|
|
| Scanner | CRITICAL | HIGH | MEDIUM | LOW | INFO |
|
|
|---------|----------|------|--------|-----|------|
|
|
| Unicode (UNI) | {{UNI_C}} | {{UNI_H}} | {{UNI_M}} | {{UNI_L}} | {{UNI_I}} |
|
|
| Entropy (ENT) | {{ENT_C}} | {{ENT_H}} | {{ENT_M}} | {{ENT_L}} | {{ENT_I}} |
|
|
| Permission (PRM) | {{PRM_C}} | {{PRM_H}} | {{PRM_M}} | {{PRM_L}} | {{PRM_I}} |
|
|
| Dependency (DEP) | {{DEP_C}} | {{DEP_H}} | {{DEP_M}} | {{DEP_L}} | {{DEP_I}} |
|
|
| Taint (TNT) | {{TNT_C}} | {{TNT_H}} | {{TNT_M}} | {{TNT_L}} | {{TNT_I}} |
|
|
| Git (GIT) | {{GIT_C}} | {{GIT_H}} | {{GIT_M}} | {{GIT_L}} | {{GIT_I}} |
|
|
| Network (NET) | {{NET_C}} | {{NET_H}} | {{NET_M}} | {{NET_L}} | {{NET_I}} |
|
|
| **TOTAL** | **{{CRITICAL}}** | **{{HIGH}}** | **{{MEDIUM}}** | **{{LOW}}** | **{{INFO}}** |
|
|
|
|
---
|
|
|
|
## OWASP Coverage
|
|
|
|
| OWASP Category | Findings | Scanners |
|
|
|----------------|----------|----------|
|
|
| LLM01 — Prompt Injection | {{LLM01_COUNT}} | UNI, ENT, TNT |
|
|
| LLM02 — Sensitive Info Disclosure | {{LLM02_COUNT}} | TNT, NET |
|
|
| LLM03 — Supply Chain | {{LLM03_COUNT}} | ENT, DEP, GIT, NET |
|
|
| LLM06 — Excessive Agency | {{LLM06_COUNT}} | PRM |
|
|
|
|
---
|
|
|
|
## Recommendations
|
|
|
|
<!-- Synthesizer agent: Prioritized action items based on findings.
|
|
Group by urgency: Immediate (CRITICAL/HIGH), Short-term (MEDIUM), Improve (LOW/INFO).
|
|
Be specific — reference finding IDs and files. -->
|
|
|
|
### Immediate (CRITICAL + HIGH)
|
|
|
|
{{IMMEDIATE_ACTIONS}}
|
|
|
|
### Short-term (MEDIUM)
|
|
|
|
{{SHORTTERM_ACTIONS}}
|
|
|
|
### Improvements (LOW + INFO)
|
|
|
|
{{IMPROVEMENT_ACTIONS}}
|
|
|
|
---
|
|
|
|
## Methodology
|
|
|
|
This report was generated by 7 deterministic Node.js scanners (zero external dependencies).
|
|
Scanner results are factual and reproducible. The Executive Summary and Recommendations
|
|
sections are synthesized by an LLM agent interpreting the raw findings.
|
|
|
|
| Scanner | Algorithm | Limitations |
|
|
|---------|-----------|-------------|
|
|
| Unicode | Codepoint iteration, Tag decoding | None — deterministic |
|
|
| Entropy | Shannon H per string literal | FP on knowledge files, data URIs |
|
|
| Permission | Frontmatter parsing, cross-reference | Claude Code plugins only |
|
|
| Dependency | npm/pip audit, Levenshtein | Requires package manager CLI |
|
|
| Taint | Regex variable tracking, 3-pass | ~70% recall, no AST, no cross-file |
|
|
| Git | History analysis, reflog, diff | Max 500 commits, 15s timeout |
|
|
| Network | URL extraction, DNS resolution | Max 50 DNS lookups, 3s timeout |
|
|
|
|
---
|
|
|
|
*Generated by llm-security deep-scan v1.2.0*
|