Automate application security testing (SAST, SCA, secrets detection) and automatically fix findings across your codebase. Integrates with CI/CD pipelines, generates compliance attestations, and provides threat modeling, SCA triage, and business-logic vulnerability analysis. Guards against writing insecure code patterns and supports multi-platform CI (GitHub Actions, GitLab, CircleCI, Jenkins, Vercel).
Based on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
CI/deploy security gates — CI workflow, pre-deploy gate, git hooks. Default generates a CI workflow.
Compliance + auditor flows. Framework attestation, walkthrough, buyer-facing badge, stack audits, PR augmentation.
Full /scan --all then /fix --all --low in one command. The vibecoder "just make it safe" path.
Remediate findings: --one <id>, --all by severity, --pr bundles a PR, --sca upgrades vulnerable deps.
Experimental + AI-driven. Self-audit, model rescan, rule synth, cross-repo, risk/time quantification.
Subagents that hold `Edit` MUST follow the same write-confinement contract
Safely apply dead-code cleanup batches identified by /trim-dead-code. Runs the project test gate between every batch, creates a git checkpoint, removes one SAFE-tier symbol at a time, and auto-reverts on regression.
Per-component CLEAN/SUSPICIOUS/MALICIOUS verdict for third-party dependencies. Use after /security-sca surfaces packages and you need to decide whether a vulnerability is malware vs. ordinary CVE.
Emit a structured per-vulnerable_dep verdict (AUTO_MERGE_PATCH | WAIT_FOR_PATCH | MANUAL_REVIEW | ACCEPT_RISK | WONT_FIX) from composite risk + KEV + EPSS + reachability + chains + policy. Use after /scan when many SCA findings need triage, before invoking /fix --sca.
Combine individual security findings into multi-step attack chains (e.g., IDOR + missing auth = account takeover). Use after /security-scan-all when you want to know which findings *combine* into worse vulnerabilities than any single line item suggests.
Walk through the six-step recipe for adding a new SAST detector — pick the module, export scan*(), wire, fixture, test.
Privacy review before handling user data. Activate on PII/PHI/PCI shapes (email, SSN, CC, MRN). Writes DATA_FLOW.md.
Refuse runtime code-eval on user input. Activate before writing eval(), Function(), or string→exec patterns.
Explain a CVE / GHSA / finding in plain English. Activate on CVE-id, GHSA-, or "what is this vuln" questions.
Apply a remediation patch via the deterministic MCP toolchain. Activate when user asks to fix a scanner finding.
Admin access level
Server config contains admin-level keywords
Executes bash commands
Hook triggers when Bash tool is used
Modifies files
Hook triggers on file write and edit operations
Uses power tools
Uses Bash, Write, or Edit tools
Built by Clear Capabilities.
─────────────────────────────────────────────────────────────────
❌ Not safe to deploy · api-billing
─────────────────────────────────────────────────────────────────
3 critical · 8 high · 22 medium · 41 advisory
🔥 2 actively exploited in the wild (CISA KEV)
✓ 1 CONFIRMED (PoC built by /triage --validate)
[critical] SQL Injection api/users.ts:42
Could leak PII for ~5,000 users.
Estimated cost if exploited: $125k–$1.3M
Fix: use parameterized query — db.query('SELECT * FROM users WHERE id = ?', [id])
[critical] Hardcoded Stripe live key src/lib/billing.ts:7
Could enable fraudulent charges against your account.
Estimated cost if exploited: $50k–$500k (chargebacks + Stripe fees)
Fix: rotate via /agentic-security:fix --rotate-secret --auto, then move to env var
[critical] Missing webhook signature api/stripe-webhook.ts:12
Anyone can POST a fake "payment.succeeded" and unlock paid features.
Estimated cost if exploited: cost of a free subscription × every attacker
Fix: stripe.webhooks.constructEvent(rawBody, signature, endpointSecret)
How many do you want to fix?
1. Critical only (3 fixes)
2. Critical + High (11 fixes)
3. Critical + High + Medium (33 fixes)
─────────────────────────────────────────────────────────────────
No CVE jargon. The stakes, the cost, the fix.
In Claude Code (recommended) — two steps:
/plugin marketplace add https://github.com/Clear-Capabilities/agentic-security
/plugin install agentic-security@clearcapabilities
The first command registers the marketplace as a source; the second actually installs the plugin. Then restart Claude Code (or /reload-plugins). To update later: /plugin marketplace update clearcapabilities followed by /plugin install agentic-security@clearcapabilities.
In your terminal (no Claude Code required):
npx @clear-capabilities/agentic-security-scanner secure .
Also works with Codex, Cursor, and Gemini CLI — harness setup.
/agentic-security:secure — Router. Picks the single best next action from project state. Also: --tour, --help, --daily.
/agentic-security:find-and-fix-everything — One-shot scan + fix every severity in one command. The vibecoder "just make it safe" path.
/agentic-security:scan — Run the scanner. Modes: full / diff / watch / baseline / archaeology / scanner-meta.
/agentic-security:triage — Decide on findings. Modes: id / show / explain / validate / tournament / red-team / exploit / query.
/agentic-security:fix — Remediation. Modes: id / all / pr / sca / compliance / rotate-secret / vault / harden / trim / generate.
/agentic-security:posture — Posture + reporting. Modes: status / report-card / harness / trend / threat / playbook / mgmt.
/agentic-security:compliance — Compliance + auditor flows. Modes: report / walkthrough / attestation / audit / pr.
/agentic-security:supply — Supply chain. Modes: check / sbom / cve-alerts / license.
/agentic-security:setup — Workflow installers + guards. Modes: hooks / ci / bodyguard / destructive-guard.
/agentic-security:labs — Experimental + AI-driven. Modes: claude-audit / model-rescan / synthesize-rule / cross-repo / risk-dollars / time-to-fix / llm.
Every legacy capability is reachable as a mode of one of these dispatchers — run /secure --help for the full surface.
/compliance --report <framework> generates an auditor-ready attestation that scans your project against:
| Framework | <framework> | Coverage map |
|---|---|---|
| NIST AI 600-1 (2024) — Generative AI Profile | nist | coverage |
| OWASP ASVS 4.0.3 — Application Security Verification Standard | asvs | coverage |
| OWASP LLM Top 10 (2025) | llm | coverage |
| EU AI Act | eu-ai-act | scripts/eu-ai-act/ |
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimnpx claudepluginhub clear-capabilities/agentic-security --plugin agentic-securityAutomated OWASP security checks — Web Top 10:2025, LLM Top 10:2025, API Security Top 10:2023
thejefflarsonOpen-source cybersecurity analysis agent. Scans any local project for vulnerabilities: code security (SAST), dependency CVEs (SCA), secret leaks, authentication/authorization flaws, cryptographic weaknesses, misconfigurations, supply chain risks, and CI/CD security. Covers all OWASP 2025 Top 10 and CWE Top 25 categories. Generates prioritized reports with remediation guidance. Invoke with /cyber-neo [path].
HainrixzSecurity scanning, dependency CVE audits, and exposure-aware risk prioritization.
hrconsultnjSecurity best practices advisor with vulnerability detection and fixes
rohitg00AI-powered cybersecurity code review with 8 specialist agents, OWASP Top 10:2021, CWE Top 25:2024, MITRE ATT&CK v15, and framework-aware false-positive suppression
AgriciDanielSpecialized security review subagent
jeremylongshore