Add /ultraresearch-local for structured research combining local codebase analysis with external knowledge via parallel agent swarms. Produces research briefs with triangulation, confidence ratings, and source quality assessment. New command: /ultraresearch-local with modes --quick, --local, --external, --fg. New agents: research-orchestrator (opus), docs-researcher, community-researcher, security-researcher, contrarian-researcher, gemini-bridge (all sonnet). New template: research-brief-template.md. Integration: --research flag in /ultraplan-local accepts pre-built research briefs (up to 3), enriches the interview and exploration phases. Planning orchestrator cross-references brief findings during synthesis. Design principle: Context Engineering — right information to right agent at right time. Research briefs are structured artifacts in the pipeline: ultraresearch → brief → ultraplan --research → plan → ultraexecute. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
237 lines
7.9 KiB
Markdown
237 lines
7.9 KiB
Markdown
# Plugin Security Audit Report
|
|
|
|
<!--
|
|
TEMPLATE USAGE
|
|
This is the output template for `/security plugin-audit`.
|
|
The command inventories the plugin, spawns skill-scanner-agent for content analysis,
|
|
and compiles findings into this format. Fill every section with real data.
|
|
Do NOT output placeholder text. If a section has no findings, write "None identified."
|
|
-->
|
|
|
|
---
|
|
|
|
## Header
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **Plugin** | [plugin name from manifest] |
|
|
| **Version** | [version from manifest, or "not specified"] |
|
|
| **Author** | [author from manifest, or "not specified"] |
|
|
| **Path** | [absolute or relative path to plugin root] |
|
|
| **Audit date** | [ISO 8601 — e.g. 2026-02-19] |
|
|
| **Auditor** | llm-security v[X.X] — plugin-audit |
|
|
|
|
---
|
|
|
|
## Plugin Metadata
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **Description** | [description from manifest] |
|
|
| **Auto-discover** | [true / false] |
|
|
| **Commands** | [count] |
|
|
| **Agents** | [count] |
|
|
| **Hook events** | [count of registered events] |
|
|
| **Skills** | [count] |
|
|
| **Knowledge files** | [count] ([total lines] lines) |
|
|
| **Templates** | [count] |
|
|
| **Total files** | [count of all files in plugin directory] |
|
|
|
|
---
|
|
|
|
## Component Inventory
|
|
|
|
### Commands
|
|
|
|
| Name | Allowed Tools | Model | Flags |
|
|
|------|---------------|-------|-------|
|
|
| `[command name]` | [Read, Write, Bash, ...] | [sonnet/opus] | [Bash / Bash+Write / Task / none] |
|
|
|
|
### Agents
|
|
|
|
| Name | Tools | Model | Flags |
|
|
|------|-------|-------|-------|
|
|
| `[agent name]` | [Read, Glob, Grep, ...] | [sonnet/opus] | [Bash / Bash+Write / Task / none] |
|
|
|
|
### Hooks
|
|
|
|
| Event | Matcher | Script | Behavior | Flags |
|
|
|-------|---------|--------|----------|-------|
|
|
| [PreToolUse] | [Edit\|Write] | [scripts/pre-edit-secrets.mjs] | [block / warn / advisory] | [state-modify / network / env-access / none] |
|
|
|
|
### Skills
|
|
|
|
| Name | Reference files |
|
|
|------|----------------|
|
|
| `[skill name]` | [count] |
|
|
|
|
> If no components exist for a type, write "None" and omit the table.
|
|
|
|
---
|
|
|
|
## Permission Matrix
|
|
|
|
Aggregated tool access across all commands and agents:
|
|
|
|
| Tool | Granted to | Risk level | Justification needed |
|
|
|------|-----------|------------|---------------------|
|
|
| **Bash** | [list of commands/agents] | High | Yes — can execute arbitrary commands |
|
|
| **Write** | [list] | Medium | If combined with Bash |
|
|
| **Task** | [list] | Medium | Can spawn sub-agents with own permissions |
|
|
| **Edit** | [list] | Low | Modifies existing files only |
|
|
| **Read** | [list] | Low | Read-only access |
|
|
| **Glob** | [list] | Low | File discovery only |
|
|
| **Grep** | [list] | Low | Content search only |
|
|
|
|
**Permission flags:**
|
|
|
|
| Flag | Components | Assessment |
|
|
|------|-----------|------------|
|
|
| Bash access | [list] | [Justified: hook enforcement / Unjustified: no clear need] |
|
|
| Bash + Write | [list] | [Justified / Unjustified] |
|
|
| Task spawning | [list] | [Justified: multi-agent audit / Unjustified] |
|
|
| Opus for simple tasks | [list or "none"] | [Appropriate / Over-specified] |
|
|
|
|
> If all permissions are justified, write: "All tool grants are consistent with declared component purposes."
|
|
|
|
---
|
|
|
|
## Hook Safety Analysis
|
|
|
|
**Events intercepted:** [comma-separated list — e.g. PreToolUse, PostToolUse, Stop]
|
|
|
|
| Category | Count | Assessment |
|
|
|----------|-------|------------|
|
|
| Block hooks (reject operations) | [n] | [Expected for security plugins] |
|
|
| Warn hooks (advisory only) | [n] | [Low risk — informational] |
|
|
| State-modifying hooks | [n] | [Requires review — hooks should be read-only or block-only] |
|
|
| Network-calling hooks | [n] | [High concern — hooks should not phone home] |
|
|
| SessionStart hooks | [n] | [Runs every session — verify purpose] |
|
|
|
|
**Script analysis summary:**
|
|
- [script-name.mjs]: [1-line description of what it does and risk assessment]
|
|
|
|
> If no hooks are registered, write: "No hooks registered. The plugin does not intercept any operations."
|
|
|
|
---
|
|
|
|
## Security Findings
|
|
|
|
Findings from skill-scanner-agent, sorted Critical → High → Medium → Low → Info.
|
|
Each finding ID is formatted `SCN-[NNN]`.
|
|
|
|
### Critical
|
|
|
|
> No Critical findings — omit this section if empty.
|
|
|
|
| ID | Category | File | Line | Description | OWASP Ref |
|
|
|----|----------|------|------|-------------|-----------|
|
|
| SCN-001 | [Category] | [path] | [Ln] | [Description] | [LLM0X / ASI0X] |
|
|
|
|
### High
|
|
|
|
> No High findings — omit this section if empty.
|
|
|
|
| ID | Category | File | Line | Description | OWASP Ref |
|
|
|----|----------|------|------|-------------|-----------|
|
|
|
|
### Medium
|
|
|
|
> No Medium findings — omit this section if empty.
|
|
|
|
| ID | Category | File | Line | Description | OWASP Ref |
|
|
|----|----------|------|------|-------------|-----------|
|
|
|
|
### Low / Info
|
|
|
|
| ID | Category | File | Description |
|
|
|----|----------|------|-------------|
|
|
|
|
> Follow same detail block format as scan-report.md for findings that need elaboration.
|
|
|
|
---
|
|
|
|
## Trust Verdict
|
|
|
|
**Verdict: [Install / Review / Do Not Install]**
|
|
|
|
| Criterion | Status |
|
|
|-----------|--------|
|
|
| Zero Critical findings | [PASS / FAIL] |
|
|
| Zero High findings | [PASS / FAIL — if FAIL, Review] |
|
|
| All hooks transparent (block/warn only) | [PASS / FAIL] |
|
|
| No state-modifying hooks | [PASS / FAIL] |
|
|
| No network-calling hooks | [PASS / FAIL] |
|
|
| Permissions justified | [PASS / FAIL] |
|
|
| No exfiltration patterns | [PASS / FAIL] |
|
|
| No persistence mechanisms | [PASS / FAIL] |
|
|
| No hidden instructions | [PASS / FAIL] |
|
|
|
|
**Verdict rationale:** [2-3 sentences explaining the verdict based on the criteria above.]
|
|
|
|
**Recommendations:**
|
|
- [If Install: "Safe to add to enabledPlugins." + any minor suggestions]
|
|
- [If Review: List specific items to investigate before installing]
|
|
- [If Do Not Install: List critical concerns and what would need to change]
|
|
|
|
---
|
|
|
|
## Footer
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| llm-security version | [e.g. 0.1.0] |
|
|
| Assessment engine | skill-scanner-agent (7 threat categories) |
|
|
| OWASP references | LLM Top 10 (2025), Agentic AI Top 10 |
|
|
| Components analyzed | [total count of files scanned] |
|
|
| Report generated | [ISO 8601 timestamp] |
|
|
|
|
---
|
|
|
|
<!--
|
|
VERDICT DECISION LOGIC (for the command filling in this template)
|
|
|
|
INSTALL — all of:
|
|
- Zero Critical findings
|
|
- Zero High findings
|
|
- All hooks are transparent (block or warn behavior, no state modification)
|
|
- All permissions are justified for declared purposes
|
|
- No evidence of exfiltration, persistence, toolchain manipulation, or hidden instructions
|
|
|
|
REVIEW — any of:
|
|
- One or more High findings
|
|
- Hooks that modify state (write files, set env vars)
|
|
- Excessive tool grants without clear justification (e.g. Bash on a read-only agent)
|
|
- Unclear or missing author/version metadata
|
|
- SessionStart hooks with non-trivial logic
|
|
|
|
DO NOT INSTALL — any of:
|
|
- One or more Critical findings
|
|
- Evidence of data exfiltration (network calls with user data)
|
|
- Persistence mechanisms (writes to ~/.claude/, modifies settings)
|
|
- Hidden instructions (encoded directives, steganographic content)
|
|
- Toolchain manipulation (modifies other plugins, hooks, or settings)
|
|
- Tool poisoning via agent/command descriptions
|
|
|
|
PERMISSION RISK SCORING (informational, not used for verdict)
|
|
Bash access: +3 per component
|
|
Write + Bash combo: +5 per component
|
|
Task spawning: +2 per component
|
|
Opus model: +1 per component (cost concern, not security)
|
|
Read/Glob/Grep: +0
|
|
|
|
Score 0-5: Low risk
|
|
Score 6-15: Medium risk
|
|
Score 16+: High risk (review all grants)
|
|
|
|
FINDING CATEGORIES (same as scan-report.md)
|
|
- Secrets, Injection, Permissions, Supply Chain, MCP Trust,
|
|
Destructive, Output Handling, Other
|
|
|
|
SEVERITY CLASSIFICATION
|
|
Critical — Active threat: hidden LLM directives, exfiltration, credential harvesting,
|
|
persistence, toolchain manipulation
|
|
High — Significant risk: path traversal, unjustified Bash+Write, known vuln patterns
|
|
Medium — Meaningful risk: excessive permissions, missing validation, unclear purpose
|
|
Low — Informational: unlocked versions, missing docs, minor best-practice gaps
|
|
-->
|