Stats
Actions
Tags
Security analysis knowledge for Claude Code plugins. This skill should be used when the user asks to check, audit, scan, or review a Claude Code plugin for security risks, vulnerabilities, or malicious code. Common triggers include 'is this plugin safe', 'scan plugin for security issues', 'audit plugin hooks', 'check for prompt injection', 'review MCP server security', or 'analyze plugin scripts for risks'.
How this skill is triggered — by the user, by Claude, or both
Slash command
/plugin-security-checker:plugin-securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze Claude Code plugins for security risks by systematically examining each component type. Report findings with severity levels and actionable recommendations.
Analyze Claude Code plugins for security risks by systematically examining each component type. Report findings with severity levels and actionable recommendations.
For automated scanning, use the /plugin-security-checker:security-check command or the security-scanner agent.
For the report format template, refer to references/report-template.md.
Hooks execute shell commands automatically in response to Claude Code events. They run with the user's full permissions.
Check hooks.json and any hook configurations in plugin.json for:
IMPORTANT: The pattern lists below are representative examples, not exhaustive. Always apply behavioral analysis — read each hook command/script and evaluate its intent. Ask: "What is this hook actually trying to do? Does that match the plugin's stated purpose?" Flag any behavior that seems disproportionate or unrelated to the plugin's function.
Dangerous command patterns:
rm -rf, rm -f, mkfs, dd if=, shredcurl | bash, wget -O- | sh, eval $(curl, source <(curl, bash <(curlpython -c, python3 -c, node -e, ruby -e, perl -e, php -rbash -i >& /dev/tcp/, nc -e, ncat, socat, mkfifo + pipe to nc, Python/Ruby/PHP/Node socket-based shellssudo, su -, chmod 777, chmod +s, chown rootkill -9, pkill, killall (when targeting system processes)Data exfiltration patterns:
curl -d, curl -F "file=@", wget --post-data, curl -X POSTdig, nslookup, host (encoding data in DNS queries)openssl s_client, /dev/tcp/, /dev/udp/scp, rsync to remote hosts, sftp, ftpcurl -d "$(env)", printenv, set piped to network commands~/.ssh/, ~/.aws/, ~/.gitconfig, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.pypirc, ~/.netrc, ~/.git-credentials, ~/.gnupg/, ~/.vault-token, ~/.config/gcloud/$API_KEY, $SECRET, $TOKEN, $PASSWORD, $PRIVATE_KEY, $DATABASE_URL, $AWS_SECRET_ACCESS_KEYsecurity find-generic-password, security find-internet-passwordPersistence mechanisms:
crontab -e, crontab -l, writing to /etc/cron.d/~/.bashrc, ~/.zshrc, ~/.profile, ~/.bash_profilelaunchctl, writing to ~/Library/LaunchAgents/systemctl, writing to ~/.config/autostart/.git/hooks/Git manipulation:
git config credential.helper — can redirect credential storagegit remote set-url — can redirect push/pull to attacker's server.git/hooks/ — persistence via pre-commit, post-checkout, etc.macOS-specific risks:
osascript — AppleScript execution (can control applications, display fake dialogs)screencapture — screenshot capturepbcopy/pbpaste — clipboard accessHigh-risk event bindings:
SessionStart: Executes on every session start without user actionUserPromptSubmit: Intercepts every user inputPreToolUse: Can modify or block tool executionNotification: Can intercept notification contentObfuscation techniques:
echo "..." | base64 -d | bash, base64 --decodeecho -e "\x...", printf '\x...', xxd -rgzip -d, zlib, compressed payloads piped to executionopenssl enc -d, gpg -d piped to execution${!var}, indirect parameter expansionc="cu"; c+="rl", array-based command buildingMCP servers run as long-lived processes with network access capabilities.
Check .mcp.json and mcpServers in plugin.json for:
Suspicious server commands:
node, python, npx, standard tools)nc, socat, ncatbash -c "curl ... && ..."Network security:
Environment variable exposure:
"env": { "PATH": ... } combined with sensitive varsHOME, USER, or system identity informationDependency risks:
npx executing unverified packages from npmpip or pipx running unverified packagesScan ALL non-declarative files in the plugin. Do not filter by file extension — attackers can use any language or extension. Inspect every file that is not purely declarative markup (.md, .json, .yaml, .yml, .txt).
Pay special attention to files in scripts/ directory, files referenced by hooks, and files with executable permissions.
Check all non-declarative files for:
Network operations:
curl, wget, fetch, requests.get/post, http.get, axios, urllib, httpxsocket, net.connect, TCP, dgram, WebSocketFile system operations:
$CLAUDE_PLUGIN_ROOT)~/.ssh, ~/.aws, ~/.config/etc/, /usr/, /tmp/ (for persistence).Code obfuscation:
Binary or unreadable files:
Skills and agents control Claude's behavior through prompts.
Check SKILL.md, agent .md files, and command .md files for:
Prompt injection patterns:
Excessive tool permissions:
allowed-tools including Bash, Write, or Edit when not clearly needed*) without justificationdangerouslySkipPermissions or similar bypassesBehavioral manipulation:
Data collection through prompts:
Check plugin.json and directory structure for:
Path traversal:
../Structural integrity:
Metadata concerns:
Assign the overall plugin risk level based on the highest severity finding:
npx claudepluginhub sontixyou/sleuth --plugin plugin-security-checkerScans Claude Code plugins for execution surface risks, supply chain vulnerabilities, data exfiltration, and prompt injection. Applies context-aware severity rules to hooks, scripts, MCP configs, and documentation.
Scans third-party plugin skills for prompt injection, credential harvesting, exfiltration, and supply chain risks before installation. Auto-runs during setup.sh plugin install or via /just-ship-audit.
Performs read-only static security audits of Claude Code skills, commands, and plugins. Analyzes SKILL.md frontmatter, scripts, and hooks for risks before enabling.