Stats
Actions
Tags
From reco
Deep-dive security investigation for a specific SaaS application
How this command is triggered — by the user, by Claude, or both
Slash command
/reco:investigate-app Application name (e.g. "Slack", "GitHub", "Salesforce")The summary Claude sees in its command listing — used to decide when to auto-load this command
# Investigate App: $ARGUMENTS Perform a comprehensive security investigation of the application "$ARGUMENTS". ## Steps 1. **App overview**: Call `list_apps` with filter `name eq "$ARGUMENTS"` to get the risk score, category, and risk factors. If no exact match, try `name co "$ARGUMENTS"`. 2. **Open posture issues**: Call `list_posture_issues` with filter `application eq "$ARGUMENTS" and (checkStatus eq "ALERT_STATUS_NEW" or checkStatus eq "ALERT_STATUS_TO_REVIEW")` to find failing security checks. 3. **Active alerts**: Call `list_threat_alerts` with filter `application eq "$ARGUMENTS"`...
Perform a comprehensive security investigation of the application "$ARGUMENTS".
App overview: Call list_apps with filter name eq "$ARGUMENTS" to get the risk score, category, and risk factors. If no exact match, try name co "$ARGUMENTS".
Open posture issues: Call list_posture_issues with filter application eq "$ARGUMENTS" and (checkStatus eq "ALERT_STATUS_NEW" or checkStatus eq "ALERT_STATUS_TO_REVIEW") to find failing security checks.
Active alerts: Call list_threat_alerts with filter application eq "$ARGUMENTS" for any active threat detections.
User access: Call list_accounts with filter application eq "$ARGUMENTS" and limit eq 20 to see who has access. Note total count.
App-to-app OAuth grants: Call list_saas_to_saas with filter targetApplication eq "$ARGUMENTS" to see which other apps have OAuth access into this one.
Recent activity: Call list_events with filter application eq "$ARGUMENTS" and limit eq 20 for recent events. Flag any with outcome_string eq "failure".
Produce a structured security brief:
npx claudepluginhub recolabs/reco-mcp-plugins --plugin reco