Search everything...

Stats

Actions

Available In

Help us improve

Share bugs, ideas, or general feedback.

agentic-security - Claude Code Plugin | ClaudePluginHub

Plugin

agentic-security

Name: agentic-security
Author: clear-capabilities

By Clear-Capabilities

Automatically scan your project for security vulnerabilities (SAST, SCA, secrets) and fix them with deterministic remediation, while generating compliance attestations, threat models, and CI security gates.

npx claudepluginhub clear-capabilities/agentic-security --plugin agentic-security

Popularity

Stars

Top 10%

Med: 0·Avg: 274

Installs

Med: 0·Avg: 1

What's Inside

Slash Commands12

── CI gate (default) ──

/ci

CI/deploy security gates — CI workflow, pre-deploy gate, git hooks. Default generates a CI workflow.

/compliance

Compliance + auditor flows. Framework attestation, walkthrough, buyer-facing badge, stack audits, PR augmentation.

Find And Fix Everything

/find-and-fix-everything

Full /scan --all then /fix --all --low in one command. The vibecoder "just make it safe" path.

Modes

/fix

Remediate findings: --one <id>, --all by severity, --pr bundles a PR, --sca upgrades vulnerable deps.

/labs

Experimental + AI-driven. Self-audit, model rescan, rule synth, cross-repo, risk/time quantification.

Agents10

sca-malware-analyst

/sca-malware-analyst

Per-component CLEAN/SUSPICIOUS/MALICIOUS verdict for third-party dependencies. Use after /security-sca surfaces packages and you need to decide whether a vulnerability is malware vs. ordinary CVE.

refactor-cleaner

/refactor-cleaner

Safely apply dead-code cleanup batches identified by /trim-dead-code. Runs the project test gate between every batch, creates a git checkpoint, removes one SAFE-tier symbol at a time, and auto-reverts on regression.

Subagent path-confinement schema (premortem #17)

/_CONFINEMENT

Subagents that hold `Edit` MUST follow the same write-confinement contract

sca-triager

/sca-triager

Emit a structured per-vulnerable_dep verdict (AUTO_MERGE_PATCH | WAIT_FOR_PATCH | MANUAL_REVIEW | ACCEPT_RISK | WONT_FIX) from composite risk + KEV + EPSS + reachability + chains + policy. Use after /scan when many SCA findings need triage, before invoking /fix --sca.

security-chain-synthesizer

/security-chain-synthesizer

Combine individual security findings into multi-step attack chains (e.g., IDOR + missing auth = account takeover). Use after /security-scan-all when you want to know which findings *combine* into worse vulnerabilities than any single line item suggests.

Skills11

agentic-security:add-scan-rule

/add-scan-rule

Walk through the six-step recipe for adding a new SAST detector — pick the module, export scan*(), wire, fixture, test.

agentic-security:privacy-data-flow

/privacy-data-flow

Privacy review before handling user data. Activate on PII/PHI/PCI shapes (email, SSN, CC, MRN). Writes DATA_FLOW.md.

agentic-security:security-eval-warn

/security-eval-warn

Refuse runtime code-eval on user input. Activate before writing eval(), Function(), or string→exec patterns.

agentic-security:security-explain-cve

/security-explain-cve

Explain a CVE / GHSA / finding in plain English. Activate on CVE-id, GHSA-, or "what is this vuln" questions.

agentic-security:security-fix-finding

/security-fix-finding

Apply a remediation patch via the deterministic MCP toolchain. Activate when user asks to fix a scanner finding.

Hooks1

Event Hooks

Bash

File writes

8 hooks across 5 events

MCP Servers1

agentic-security

admin

agentic-security MCP server (scan_diff, query_taint, explain_finding, find_rule_module, synthesize_fix, verify_fix, apply_fix). Session root is confined to the current project directory; apply_fix requires confirm:true and a valid last-scan.json HMAC signature; shadow findings are never auto-applied.

Stats

Version0.119.1

ReleasedMay 20, 2026

LanguageJavaScript

Stars58

Forks10

MaintenanceExcellent

LicensePolyForm-Internal-Use-1.0.0

Last CommitJun 1, 2026

AddedMay 31, 2026

Actions

View on GitHub View README Plugin Marketplace JSON Homepage

Own this plugin?

Verify ownership to unlock analytics, metadata editing, and a verified badge.

Available In

clearcapabilities58

Safety Signals

Critical

Admin access level

Server config contains admin-level keywords

Caution

Help us improve

Share bugs, ideas, or general feedback.

README

agentic-security

Build faster with an
Agentic Workforce.
Safe, secure, and compliant
is now the default.

Built by Clear Capabilities.

What you get

─────────────────────────────────────────────────────────────────
  ❌  Not safe to deploy  ·  api-billing
─────────────────────────────────────────────────────────────────
   3 critical · 8 high · 22 medium · 41 advisory
   🔥 2 actively exploited in the wild (CISA KEV)
   ✓  1 CONFIRMED (PoC built by /triage --validate)

   [critical] SQL Injection                api/users.ts:42
     Could leak PII for ~5,000 users.
     Estimated cost if exploited: $125k–$1.3M
     Fix:  use parameterized query — db.query('SELECT * FROM users WHERE id = ?', [id])

   [critical] Hardcoded Stripe live key    src/lib/billing.ts:7
     Could enable fraudulent charges against your account.
     Estimated cost if exploited: $50k–$500k (chargebacks + Stripe fees)
     Fix:  rotate via /agentic-security:fix --rotate-secret --auto, then move to env var

   [critical] Missing webhook signature    api/stripe-webhook.ts:12
     Anyone can POST a fake "payment.succeeded" and unlock paid features.
     Estimated cost if exploited: cost of a free subscription × every attacker
     Fix:  stripe.webhooks.constructEvent(rawBody, signature, endpointSecret)

   How many do you want to fix?
     1. Critical only           (3 fixes)
     2. Critical + High         (11 fixes)
     3. Critical + High + Medium (33 fixes)
─────────────────────────────────────────────────────────────────

No CVE jargon. The stakes, the cost, the fix.

Install

In Claude Code (recommended) — two steps:

/plugin marketplace add https://github.com/Clear-Capabilities/agentic-security
/plugin install agentic-security@clearcapabilities

The first command registers the marketplace as a source; the second actually installs the plugin. Then restart Claude Code (or /reload-plugins). To update later: /plugin marketplace update clearcapabilities followed by /plugin install agentic-security@clearcapabilities.

In your terminal (no Claude Code required):

npx @clear-capabilities/agentic-security-scanner secure .

Also works with Codex, Cursor, and Gemini CLI — harness setup.

Ten commands

/agentic-security:secure — Router. Picks the single best next action from project state. Also: --tour, --help, --daily.

/agentic-security:find-and-fix-everything — One-shot scan + fix every severity in one command. The vibecoder "just make it safe" path.

/agentic-security:scan — Run the scanner. Modes: full / diff / watch / baseline / archaeology / scanner-meta.

/agentic-security:triage — Decide on findings. Modes: id / show / explain / validate / tournament / red-team / exploit / query.

/agentic-security:fix — Remediation. Modes: id / all / pr / sca / compliance / rotate-secret / vault / harden / trim / generate.

/agentic-security:posture — Posture + reporting. Modes: status / report-card / harness / trend / threat / playbook / mgmt.

/agentic-security:compliance — Compliance + auditor flows. Modes: report / walkthrough / attestation / audit / pr.

/agentic-security:supply — Supply chain. Modes: check / sbom / cve-alerts / license.

/agentic-security:setup — Workflow installers + guards. Modes: hooks / ci / bodyguard / destructive-guard.

/agentic-security:labs — Experimental + AI-driven. Modes: claude-audit / model-rescan / synthesize-rule / cross-repo / risk-dollars / time-to-fix / llm.

Every legacy capability is reachable as a mode of one of these dispatchers — run /secure --help for the full surface.

Compliance frameworks

/compliance --report <framework> generates an auditor-ready attestation that scans your project against:

Framework	`<framework>`	Coverage map
NIST AI 600-1 (2024) — Generative AI Profile	`nist`	coverage
OWASP ASVS 4.0.3 — Application Security Verification Standard	`asvs`	coverage
OWASP LLM Top 10 (2025)	`llm`	coverage
EU AI Act	`eu-ai-act`	`scripts/eu-ai-act/`

View full README on GitHub

Help us improve

Find plugins for your project

Help us improve

agentic-security

Popularity

What's Inside

Help us improve

Health & Quality

Confidence

README

agentic-security

Build faster with an
Agentic Workforce.
Safe, secure, and compliant
is now the default.

What you get

Install

Ten commands

Compliance frameworks

Similar Plugins

cyber-neo

security-guidance

sentinel

audit

security-agent

cybersecurity

Help us improve

agentic-security

Build faster with an
Agentic Workforce.
Safe, secure, and compliant
is now the default.

What you get

Install

Ten commands

Compliance frameworks

Help us improve

Find plugins for your project

Help us improve

agentic-security

Popularity

What's Inside

Help us improve

Health & Quality

Confidence

README

agentic-security

Build faster with an Agentic Workforce. Safe, secure, and compliant is now the default.

What you get

Install

Ten commands

Compliance frameworks

Similar Plugins

cyber-neo

security-guidance

sentinel

audit

security-agent

cybersecurity

Help us improve

agentic-security

Build faster with an Agentic Workforce. Safe, secure, and compliant is now the default.

What you get

Install

Ten commands

Compliance frameworks

Build faster with an
Agentic Workforce.
Safe, secure, and compliant
is now the default.

Build faster with an
Agentic Workforce.
Safe, secure, and compliant
is now the default.