Skip to content

v1.1.0 — Security Remediation + Marketplace Compliance

Latest
Latest

Choose a tag to compare

View all tags
@AgriciDaniel AgriciDaniel released this 15 Apr 09:44
v1.1.0
bcc9638

Security Remediation

Self-audit identified 22 findings (Grade C, 61/100). All 15 planned fixes applied, raising the projected score to 85-92/100 (Grade A/B).

Critical Fixes

  • Prompt injection defense: CRITICAL SAFETY RULE added to all 8 agent dispatches — treats scanned code as untrusted data, flags injection attempts as CRITICAL findings (CWE-94, MITRE T1059)
  • WebFetch/WebSearch removed: Eliminated unnecessary data exfiltration surface from allowed-tools
  • Per-agent tool restrictions: Each of 8 agents now operates with least-privilege (Read/Grep/Glob only; Agent 5 adds Bash for IaC)

High-Priority Fixes

  • Install integrity verification: checksums.sha256 with SHA-256 hashes for all 23 skill files, verified during installation
  • File exclusion hardening: .claude/, .cursor/, AGENTS.md, SKILL.md in scanned repos treated as data, not instructions
  • Permission path fix: Corrected settings.local.json path mismatch (claude-cybersecuritycybersecurity)
  • Removed phantom install.ps1 references from README and SECURITY.md

Medium-Priority Fixes

  • Evidence redaction: Secret values masked in reports (first 4 + last 4 chars: AKIA****WXYZ)
  • Agent failure handling: Step 2.5 validation — score bounds, format compliance, missing agent fallback (score 50), minimum threshold (6/8)
  • Citation corrections: OWASP Top 10:2025 → 2021 (official), removed unsubstantiated statistics
  • CI/CD pipeline: shellcheck, markdownlint, checksum verification, cross-reference validation

Marketplace Compliance

  • plugin.json updated to Anthropic schema: author object format, 10 keywords, repository field
  • Plugin installation method added to README (claude plugin install cybersecurity)
  • Badges aligned (14 languages, OWASP 2021)

New Files

  • CHANGELOG.md — release tracking
  • checksums.sha256 — file integrity verification
  • .github/workflows/ci.yml — automated validation pipeline
  • .github/ISSUE_TEMPLATE/config.yml — security-focused issue routing
  • SECURITY-AUDIT-2026-04-15.md — full audit report

Full Audit Report

See SECURITY-AUDIT-2026-04-15.md for the complete 22-finding audit with attack chain analysis.

Skill Quality Score: 82/100 (skill-creator evaluation)
Plugin Validation: 15/15 checks pass
Checksums: 23/23 files verified

Assets 2
Loading