Bryan Thompson ad0e721016
policy(scan): review whole payload incl .claude/ + flag credential extraction
The review rubric anchored "read every relevant file" to the loaded plugin
surface (skills/*/SKILL.md, hook-referenced source) and checked credential
reads (~/.ssh, ~/.aws/credentials) only within hooks. Code that reads the user's
live secrets from a non-loaded location — e.g. a dotdir like .claude/ that still
ships to the user's disk on a git-source install — could fall through both.

Two fixes:
- Scope: direct the reviewer to read the WHOLE shipped payload incl. dotdirs
  like .claude/ (clones to disk, agent-reachable though not auto-loaded).
- Detector: add an explicit credential/secret-extraction check across ALL
  shipped code (not just hooks), naming OS credential-store CLIs + token
  harvest, with the set-your-own-key vs harvest trust-boundary distinction.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-25 17:23:50 -05:00
..