Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From mcp-scanner
This skill should be used when the user asks to "scan this plugin", "check plugin security", "is this plugin safe", "is this MCP server safe", "audit this plugin", "scan for threats", "check for prompt injection", "review plugin security", "scan a skill for malware", "is this skill safe to use", "scan all plugins", "check my MCP servers", "audit dependencies", "are my plugins safe", mentions "plugin security", "MCP security", "malicious plugin", or discusses security scanning of Claude Code plugins, skills, hooks, or MCP servers.
How this skill is triggered — by the user, by Claude, or both
Slash command
/mcp-scanner:plugin-security-scannerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Security analysis for Claude Code plugins, skills, hooks, and MCP servers. Combines automated static analysis (Python regex scanner) with semantic threat detection to produce comprehensive security reports.
Security analysis for Claude Code plugins, skills, hooks, and MCP servers. Combines automated static analysis (Python regex scanner) with semantic threat detection to produce comprehensive security reports.
| Command | Description |
|---|---|
/scan-plugin <path> | Scan a single plugin directory |
/scan-all | Scan all installed and marketplace plugins |
/scan-mcp | Scan MCP server configurations from settings |
/install-plugin <path-or-url> | Install a plugin with pre-install security scan |
/export-report <path> | Export scan report as formatted markdown |
Activate when the user wants to:
Determine what to scan. If the user does not provide a path, ask for one. Common locations:
~/.claude/plugins/ — installed plugins~/.claude/plugins/marketplaces/ — marketplace plugins.claude-plugin/ folderExecute the static analysis script:
python3 ${CLAUDE_PLUGIN_ROOT}/scripts/scan_plugin.py "<target-path>"
On Windows, fall back to python if python3 is unavailable.
The script outputs a JSON report with findings categorized by severity (CRITICAL, HIGH, MEDIUM, LOW, INFO) across 9 threat categories. It loads both built-in patterns and external signatures from signatures/signatures.json, and applies false-positive suppressions from signatures/allowlist.json.
For markdown output, add --markdown:
python3 ${CLAUDE_PLUGIN_ROOT}/scripts/scan_plugin.py "<target-path>" --markdown
python3 ${CLAUDE_PLUGIN_ROOT}/scripts/audit_deps.py "<target-path>"
Checks package.json, requirements.txt, and pyproject.toml for:
Parse the report and note:
For files flagged by the scanner, read them and perform deeper analysis that regex cannot do:
Prompt Injection (in .md files):
Data Exfiltration (in scripts):
Code Execution Context:
Credential Escalation:
Consult the detailed reference for comprehensive guidance:
references/threat-patterns.md — full threat patterns with risk contexts and examplesPresent findings in this structure:
Overall Risk Assessment:
Findings by Severity (CRITICAL > HIGH > MEDIUM > LOW > INFO): For each finding, include:
Summary:
The scanner includes fingerprints of known malicious plugins. When a known-malicious category finding appears, treat it as a confirmed threat — these match real attack tools documented in security research:
<IMPORTANT> tags and user notification suppressionAfter semantic analysis, if threats were found that the static scanner MISSED (findings not in the JSON report but discovered by reading the code), document them as scanner improvement suggestions:
For each missed threat, propose a new pattern:
Present these as "Scanner Improvement Suggestions" at the end of the report. The user can add them via:
python update_signatures.py --add-pattern '{"id":"EXT_NEW_001","category":"...","severity":"...","description":"...","regex":"...","file_types":[".py"]}'
The allowlist at signatures/allowlist.json suppresses known false positives. Each rule specifies:
plugin_pattern: substring match on the plugin pathpattern_ids: list of pattern IDs to suppress (supports * wildcard, e.g., PROMPT_*)reason: why these are false positivesThe scanner reports how many findings were suppressed in scan_metadata.allowlist_suppressed.
The plugin includes a runtime behavior monitor (hooks/runtime_monitor.py) that runs as a PreToolUse hook on Bash, Write, and Edit tools. It:
~/.claude/mcp-scanner-reports/runtime-monitor.logos.environ for plugin-specific config variables is normal.eval() in a test file is less concerning than in a hook.known-malicious category, the plugin matches a known attack tool — do NOT install it.npx claudepluginhub digitaltitann/mcp-scannerScans Claude Code plugins for execution surface risks, supply chain vulnerabilities, data exfiltration, and prompt injection. Applies context-aware severity rules to hooks, scripts, MCP configs, and documentation.
Scans third-party plugin skills for prompt injection, credential harvesting, exfiltration, and supply chain risks before installation. Auto-runs during setup.sh plugin install or via /just-ship-audit.
Audits git repos, AI skills, and MCP servers for security issues including prompt injection, credential theft, CVEs, and manifest drift.