arrow_back All plugins

auto-audit

Autonomous security auditor. Scans a GitHub repo for vulnerabilities, triages false positives, writes a PoC, fixes each confirmed bug in its own PR, independently reviews the fix, and merges when the review is clean.

Security v0.2.0

Installation

If you haven't added the marketplace yet, see Getting Started.

claude plugin install auto-audit@wrxck-claude-plugins

Or add to your ~/.claude/settings.json:

{
  "enabledPlugins": {
    "auto-audit@wrxck-claude-plugins": true
  }
}

How it works

Scan. Clones the target repo into an isolated workspace and runs a security scanner over the source.
Triage. A triage agent reviews each finding against the surrounding code. Confirmed-false-positive verdicts are archived; real findings continue.
PoC. A proof-of-concept agent writes a minimal reproduction that demonstrates the vulnerability. The PoC is executed inside a sandbox (see below).
Fix. A fixer agent lands a patch on a new branch, re-runs the target repo's test suite inside the sandbox, and opens a pull request.
Review. An independent reviewer agent re-checks the patch against the original finding.
Merge. With merge_policy=manual (the default) the PR waits for a human. With merge_policy=auto the plugin squash-merges its own PR.

Sandbox

Test suites and PoCs from scraped repos are untrusted code. The plugin runs them in an isolated container:

Network disabled by default (--network=none). Egress allowed only for repos in allow_network_for_repos.
Host filesystem not mounted. The cloned repo is bound read-only; writes go to a tmpfs workspace.
Runs as the nobody user (65534). --cap-drop=ALL, --security-opt=no-new-privileges.
Resource caps: --cpus=2 --memory=2g --pids-limit=256.
Runtime detected in preference order: podman → docker → bwrap.
sandbox_mode=strict (default) rejects if no runtime is installed. best-effort warns loudly and falls back. off runs on the host (unsafe; opt-in only).

Config

{
  "merge_policy": "manual",
  "sandbox_mode": "strict",
  "allow_network_for_repos": []
}

Stored at ${XDG_DATA_HOME:-$HOME/.local/share}/claude/auto-audit/config.json.

Security notes

The triage, reviewer, and fixer agents ingest content from the target repo — README text, docstrings, commit messages, test output. A hostile repo can try to subvert that pipeline by planting instruction-shaped strings. Each agent wraps ingested content in explicit === BEGIN UNTRUSTED REPOSITORY CONTENT === delimiters and is instructed to treat directive-shaped strings inside them as data, not commands. The reviewer is also blind to the triager's reasoning. None of this is a hardened security boundary though — an LLM is not a sandbox. Use merge_policy=auto only on repos you fully trust.

Full docs + benchmarks

Deeper writeup with the safety-model table, benchmark numbers, and sample PR walkthroughs lives at the dedicated site:

auto-audit.hesketh.pro

Source

View the source, report issues, or contribute on GitHub:

github.com/wrxck/auto-audit