security-scanner

# Security Scanner

Analyzes Claude Code plugins and skills for malicious content using AI semantic analysis.

## Usage

```text
/security-scanner              # Scan all (plugins + skills)
/security-scanner --user       # Scan user-level only (~/.claude/)
/security-scanner --project    # Scan project-level only (.claude/)
/security-scanner --plugins    # Scan plugins only
/security-scanner --skills     # Scan skills only
/security-scanner --all        # Scan ALL (ignore trusted sources and self-exclusion)
/security-scanner --url <url>  # Scan from GitHub URL (public repos only)
```

Options can be combined: `/security-scanner --user --skills` scans user-level skills only.

### URL Format (--url option)

Supports GitHub URLs:

```text
https://github.com/owner/repo
https://github.com/owner/repo/tree/main/path/to/plugin
```

**Note**: Only public repositories are supported. Branch specified in URL is used (defaults to repository's default branch if not specified).

## Scan Targets

### Plugins
- **User-level**: `~/.claude/plugins/` (shared across all projects)
- **Project-level**: `.claude/plugins/` (project-specific)

### Skills
- **User-level**: `~/.claude/skills/` (shared across all projects)
- **Project-level**: `.claude/skills/` (project-specific)

## Configuration (Trusted Sources)

Users can define trusted marketplaces, plugins, and skills in `.claude/security-scanner.local.md`:

```markdown
---
trusted_marketplaces:
  - claude-plugins-official    # Skip all plugins from this marketplace
  - hiropon-plugins

trusted_plugins:
  - plugin-dev@claude-plugins-official    # Skip specific plugin
  - frontend-design@claude-code-plugins

trusted_skills:
  - my-skill                   # Skip specific skill by name
  - another-skill
---
```

**Trusted sources are skipped during scanning.**

To add/remove trusted sources, edit `.claude/security-scanner.local.md` manually.

## Scanning Process

### Step 1: Load Settings

Read `.claude/security-scanner.local.md` if it exists