security-scanner

# Security Scanner

Analyzes Claude Code plugins and skills for malicious content using AI semantic analysis.

## Usage

```text
/security-scanner              # Scan all (plugins + skills)
/security-scanner --user       # Scan user-level only (~/.claude/)
/security-scanner --project    # Scan project-level only (.claude/)
/security-scanner --all        # Scan ALL (ignore trusted sources and self-exclusion)
/security-scanner <url>        # Scan from GitHub URL (public repos only)
/security-scanner --url <url>  # Same as above (explicit form)
```

### URL Format (--url option)

Supports GitHub URLs:

```text
https://github.com/owner/repo
https://github.com/owner/repo/tree/main/path/to/plugin
```

**Note**: Only public repositories are supported. Branch specified in URL is used (defaults to repository's default branch if not specified).

## Scan Targets

### Plugins
- **User-level**: `~/.claude/plugins/` (shared across all projects)
- **Project-level**: `.claude/plugins/` (project-specific)

### Skills
- **User-level**: `~/.claude/skills/` (shared across all projects)
- **Project-level**: `.claude/skills/` (project-specific)

## Configuration (Trusted Sources)

Users can define trusted marketplaces, plugins, and skills in `security-scanner.local.md`:

- Project-level: `.claude/security-scanner.local.md` (takes precedence)
- User-level: `~/.claude/security-scanner.local.md`

If both files exist, **project-level settings take precedence**.

```markdown
---
trusted_marketplaces:
  - claude-plugins-official    # Skip all plugins from this marketplace
  - hiropon-plugins

trusted_plugins:
  - plugin-dev@claude-plugins-official    # Skip specific plugin
  - frontend-design@claude-code-plugins

trusted_skills:
  - my-skill                   # Skip specific skill by name
  - another-skill
---
```

**Trusted sources are skipped during scanning.**

To add/remove trusted sources, edit `security-scanner.local.md` in `.claude/` (project-level) or `~/.claude/` (user-level).

## Sca