Plugin Auditor
Automatically audits Claude Code plugins for security vulnerabilities, best practices, CLAUDE.md compliance, and quality standards when user mentions audit plugin, security review, or best practices check. Specific to claude-code-plugins repository standards.
Best use case
Plugin Auditor is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Automatically audits Claude Code plugins for security vulnerabilities, best practices, CLAUDE.md compliance, and quality standards when user mentions audit plugin, security review, or best practices check. Specific to claude-code-plugins repository standards.
Teams using Plugin Auditor should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/plugin-auditor/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Plugin Auditor Compares
| Feature / Agent | Plugin Auditor | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Automatically audits Claude Code plugins for security vulnerabilities, best practices, CLAUDE.md compliance, and quality standards when user mentions audit plugin, security review, or best practices check. Specific to claude-code-plugins repository standards.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Plugin Auditor
## Purpose
Automatically audits Claude Code plugins for security vulnerabilities, best practice violations, CLAUDE.md compliance, and quality standards - optimized for claude-code-plugins repository requirements.
## Trigger Keywords
- "audit plugin"
- "security review" or "security audit"
- "best practices check"
- "plugin quality"
- "compliance check"
- "plugin security"
## Audit Categories
### 1. Security Audit
**Critical Checks:**
- ❌ No hardcoded secrets (passwords, API keys, tokens)
- ❌ No AWS keys (AKIA...)
- ❌ No private keys (BEGIN PRIVATE KEY)
- ❌ No dangerous commands (rm -rf /, eval(), exec())
- ❌ No command injection vectors
- ❌ No suspicious URLs (IP addresses, non-HTTPS)
- ❌ No obfuscated code (base64 decode, hex encoding)
**Security Patterns:**
```bash
# Check for hardcoded secrets
grep -r "password\s*=\s*['\"]" --exclude-dir=node_modules
grep -r "api_key\s*=\s*['\"]" --exclude-dir=node_modules
grep -r "secret\s*=\s*['\"]" --exclude-dir=node_modules
# Check for AWS keys
grep -r "AKIA[0-9A-Z]{16}" --exclude=README.md
# Check for private keys
grep -r "BEGIN.*PRIVATE KEY" --exclude=README.md
# Check for dangerous patterns
grep -r "rm -rf /" | grep -v "/var/" | grep -v "/tmp/"
grep -r "eval\s*\(" --exclude=README.md
```
### 2. Best Practices Audit
**Plugin Structure:**
- ✅ Proper directory hierarchy
- ✅ Required files present
- ✅ Semantic versioning (x.y.z)
- ✅ Clear, concise descriptions
- ✅ Proper LICENSE file (MIT/Apache-2.0)
- ✅ Comprehensive README
- ✅ At least 5 keywords
**Code Quality:**
- ✅ No TODO/FIXME without issue links
- ✅ No console.log() in production code
- ✅ No hardcoded paths (/home/, /Users/)
- ✅ Uses `${CLAUDE_PLUGIN_ROOT}` in hooks
- ✅ Scripts have proper shebangs
- ✅ All scripts are executable
**Documentation:**
- ✅ README has installation section
- ✅ README has usage examples
- ✅ README has clear description
- ✅ Commands have proper frontmatter
- ✅ Agents have model specified
- ✅ Skills have trigger keywords
### 3. CLAUDE.md Compliance
**Repository Standards:**
- ✅ Follows plugin structure from CLAUDE.md
- ✅ Uses correct marketplace slug
- ✅ Proper category assignment
- ✅ Valid plugin.json schema
- ✅ Marketplace catalog entry exists
- ✅ Version consistency
**Skills Compliance (if applicable):**
- ✅ SKILL.md has proper frontmatter
- ✅ Description includes trigger keywords
- ✅ allowed-tools specified (if restricted)
- ✅ Clear purpose and instructions
- ✅ Examples provided
### 4. Marketplace Compliance
**Catalog Requirements:**
- ✅ Plugin listed in marketplace.extended.json
- ✅ Source path matches actual location
- ✅ Version matches plugin.json
- ✅ Category is valid
- ✅ No duplicate plugin names
- ✅ Author information complete
### 5. Git Hygiene
**Repository Practices:**
- ✅ No large binary files
- ✅ No node_modules/ committed
- ✅ No .env files
- ✅ Proper .gitignore
- ✅ No merge conflicts
- ✅ Clean commit history
### 6. MCP Plugin Audit (if applicable)
**MCP-Specific Checks:**
- ✅ Valid package.json with @modelcontextprotocol/sdk
- ✅ TypeScript configured correctly
- ✅ dist/ in .gitignore
- ✅ Proper mcp/*.json configuration
- ✅ Build scripts present
- ✅ No dependency vulnerabilities
### 7. Performance Audit
**Efficiency Checks:**
- ✅ No unnecessary file reads
- ✅ Efficient glob patterns
- ✅ No recursive loops
- ✅ Reasonable timeout values
- ✅ No memory leaks (event listeners)
### 8. Accessibility & UX
**User Experience:**
- ✅ Clear error messages
- ✅ Helpful command descriptions
- ✅ Proper usage examples
- ✅ Good README formatting
- ✅ Working demo commands
## Audit Process
When activated, I will:
1. **Security Scan**
```bash
# Run security checks
grep -r "password\|secret\|api_key" plugins/plugin-name/
grep -r "AKIA[0-9A-Z]{16}" plugins/plugin-name/
grep -r "BEGIN.*PRIVATE KEY" plugins/plugin-name/
grep -r "rm -rf /" plugins/plugin-name/
grep -r "eval\(" plugins/plugin-name/
```
2. **Structure Validation**
```bash
# Check required files
test -f .claude-plugin/plugin.json
test -f README.md
test -f LICENSE
# Check component directories
ls -d commands/ agents/ skills/ hooks/ mcp/ 2>/dev/null
```
3. **Best Practices Check**
```bash
# Check for TODO/FIXME
grep -r "TODO\|FIXME" --exclude=README.md
# Check for console.log
grep -r "console\.log" --exclude=README.md
# Check script permissions
find . -name "*.sh" ! -perm -u+x
```
4. **Compliance Verification**
```bash
# Check marketplace entry
jq '.plugins[] | select(.name == "plugin-name")' .claude-plugin/marketplace.extended.json
# Verify version consistency
plugin_version=$(jq -r '.version' .claude-plugin/plugin.json)
market_version=$(jq -r '.plugins[] | select(.name == "plugin-name") | .version' .claude-plugin/marketplace.extended.json)
```
5. **Generate Audit Report**
## Audit Report Format
```
🔍 PLUGIN AUDIT REPORT
Plugin: plugin-name
Version: 1.0.0
Category: security
Audit Date: 2025-10-16
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔒 SECURITY AUDIT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ PASSED (7/7)
- No hardcoded secrets
- No AWS keys
- No private keys
- No dangerous commands
- No command injection vectors
- HTTPS URLs only
- No obfuscated code
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📋 BEST PRACTICES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ PASSED (10/12)
- Proper directory structure
- Required files present
- Semantic versioning
- Clear descriptions
- Comprehensive README
⚠️ WARNINGS (2)
- 3 scripts missing execute permission
Fix: chmod +x scripts/*.sh
- 2 TODO items without issue links
Location: commands/scan.md:45, agents/analyzer.md:67
Recommendation: Create GitHub issues or remove TODOs
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ CLAUDE.MD COMPLIANCE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ PASSED (6/6)
- Follows plugin structure
- Uses correct marketplace slug
- Proper category assignment
- Valid plugin.json schema
- Marketplace entry exists
- Version consistency
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 QUALITY SCORE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Security: 10/10 ✅
Best Practices: 8/10 ⚠️
Compliance: 10/10 ✅
Documentation: 10/10 ✅
OVERALL SCORE: 9.5/10 (EXCELLENT)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🎯 RECOMMENDATIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Priority: MEDIUM
1. Fix script permissions (2 min)
2. Resolve TODO items (10 min)
Optional Improvements:
- Add more usage examples in README
- Include troubleshooting section
- Add GIF/video demo
✅ AUDIT COMPLETE
Plugin is production-ready with minor improvements needed.
```
## Severity Levels
**Critical (🔴):**
- Security vulnerabilities
- Hardcoded secrets
- Dangerous commands
- Missing required files
**High (🟠):**
- Best practice violations
- Missing documentation
- Broken functionality
- Schema violations
**Medium (🟡):**
- Code quality issues
- Missing optional features
- Performance concerns
- UX improvements
**Low (🟢):**
- Style inconsistencies
- Minor documentation gaps
- Nice-to-have features
## Auto-Fix Capabilities
I can automatically fix:
- ✅ Script permissions
- ✅ JSON formatting
- ✅ Markdown formatting
- ✅ Version sync issues
## Repository-Specific Checks
**For claude-code-plugins repo:**
- Validates against CLAUDE.md standards
- Checks marketplace integration
- Verifies category structure
- Ensures quality for featured plugins
- Checks contributor guidelines compliance
## Examples
**User says:** "Audit the security-scanner plugin"
**I automatically:**
1. Run full security scan
2. Check best practices
3. Verify CLAUDE.md compliance
4. Generate comprehensive report
5. Provide recommendations
**User says:** "Is this plugin safe to publish?"
**I automatically:**
1. Security audit (critical)
2. Marketplace compliance
3. Quality score calculation
4. Publish readiness assessment
**User says:** "Quality review before featured status"
**I automatically:**
1. Full audit (all categories)
2. Higher quality thresholds
3. Featured plugin requirements
4. Recommendation: approve/rejectRelated Skills
validate-plugin
Validate a Claude Code plugin directory against the official Anthropic spec and Intent Solutions enterprise standard. Runs structural validation (plugin.json fields, file references, permissions) and content validation (SKILL.md grading, command/agent frontmatter). Use when building a new plugin, preparing for marketplace submission, or auditing existing plugins. Trigger with "validate this plugin", "check plugin structure", "grade my plugin", "/validate-plugin".
fastify-plugin-creator
Fastify Plugin Creator - Auto-activating skill for Backend Development. Triggers on: fastify plugin creator, fastify plugin creator Part of the Backend Development skill category.
container-security-auditor
Container Security Auditor - Auto-activating skill for Security Advanced. Triggers on: container security auditor, container security auditor Part of the Security Advanced skill category.
Plugin Validator
Automatically validates Claude Code plugin structure, schemas, and compliance when user mentions validate plugin, check plugin, or plugin errors. Runs comprehensive validation specific to claude-code-plugins repository standards.
Plugin Creator
Automatically creates new Claude Code plugins with proper structure, validation, and marketplace integration when user mentions creating a plugin, new plugin, or plugin from template. Specific to claude-code-plugins repository workflow.
schema-optimization-orchestrator
Multi-phase schema optimization workflow orchestrator. Creates session directories, spawns phase agents sequentially, validates outputs, aggregates results. Trigger: "run schema optimization", "optimize schema workflow", "execute schema phases"
test-skill
Test skill for E2E validation. Trigger with "run test skill" or "execute test". Use this skill when testing skill activation and tool permissions.
example-skill
Brief description of what this skill does and when the model should activate it. Use when [describe the user's intent or situation]. Trigger with "example phrase", "another trigger", "/example-skill".
testing-visual-regression
Detect visual changes in UI components using screenshot comparison. Use when detecting unintended UI changes or pixel differences. Trigger with phrases like "test visual changes", "compare screenshots", or "detect UI regressions".
generating-unit-tests
Test automatically generate comprehensive unit tests from source code covering happy paths, edge cases, and error conditions. Use when creating test coverage for functions, classes, or modules. Trigger with phrases like "generate unit tests", "create tests for", or "add test coverage".
generating-test-reports
Generate comprehensive test reports with metrics, coverage, and visualizations. Use when performing specialized testing. Trigger with phrases like "generate test report", "create test documentation", or "show test metrics".
orchestrating-test-execution
Test coordinate parallel test execution across multiple environments and frameworks. Use when performing specialized testing. Trigger with phrases like "orchestrate tests", "run parallel tests", or "coordinate test execution".