Use when analyzing plugin structures, MCP tools, and plugin security patterns.
Analyzes plugin structures and MCP tools for schema compliance, security patterns, and best practices with optional auto-fixes.
npx claudepluginhub agent-sh/enhanceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Analyze plugin structures, MCP tools, and security patterns against best practices.
const args = '$ARGUMENTS'.split(' ').filter(Boolean);
const targetPath = args.find(a => !a.startsWith('--')) || '.';
const fix = args.includes('--fix');
| Platform | Location |
|---|---|
| Claude Code | plugins/*/, .claude-plugin/plugin.json |
| OpenCode | .opencode/plugins/, MCP in opencode.json |
| Codex | MCP in ~/.codex/config.toml |
plugins/ directoryplugin.json, agents, commands, skills--fix (HIGH certainty only)Based on function calling best practices:
Required elements:
{
"name": "verb_noun",
"description": "What it does. When to use. What it returns.",
"input_schema": {
"type": "object",
"properties": {
"param": {
"type": "string",
"description": "Format and example"
}
},
"required": ["param"],
"additionalProperties": false
}
}
The "Intern Test" - Can someone use this tool given only the description?
| Issue | Certainty | Auto-Fix |
|---|---|---|
Missing additionalProperties: false | HIGH | Yes |
Missing required array | HIGH | Yes |
| Missing tool description | HIGH | No |
| Missing param descriptions | MEDIUM | No |
Vague names (search, process) | MEDIUM | No |
Tool descriptions must include:
// Bad - vague
"description": "Search for things"
// Good - complete
"description": "Search product catalog by keyword. Use for inventory queries or price checks. Returns matching products with prices."
Parameter descriptions must include:
// Bad
"query": { "type": "string" }
// Good
"query": {
"type": "string",
"description": "Search keywords. Supports AND/OR. Example: 'laptop AND gaming'"
}
| Issue | Why It Matters |
|---|---|
| Deep nesting (>2 levels) | Reduces generation quality |
| Missing enums for constrained values | Allows invalid states |
| No min/max on numbers | Unbounded inputs |
| >20 tools per plugin | Increases error rates |
Prefer flat structures:
// Bad - nested
{ "config": { "settings": { "timeout": 30 } } }
// Good - flat
{ "timeout_seconds": 30 }
Required files:
plugin-name/
├── .claude-plugin/
│ └── plugin.json # name, version, description
├── commands/ # User-invokable commands
├── agents/ # Subagent definitions
├── skills/ # Reusable skill implementations
└── package.json # Optional, for npm plugins
plugin.json validation:
name: lowercase, kebab-caseversion: semver format (^\d+\.\d+\.\d+$)description: explains what plugin providesVersion sync: plugin.json version must match package.json if present.
For plugins exposing MCP tools:
Transport types:
stdio - Standard I/O (most common)http - HTTP/SSE transportConfiguration:
{
"mcp": {
"server-name": {
"type": "local",
"command": ["node", "path/to/server.js"],
"environment": { "KEY": "value" },
"enabled": true
}
}
}
Security principles:
HIGH Certainty issues:
| Pattern | Risk | Detection |
|---|---|---|
Unrestricted Bash | Command execution | tools:.*Bash[^(] |
| Command injection | Shell escape | \${.*} in commands |
| Path traversal | File access | \.\.\/ in paths |
| Hardcoded secrets | Credential leak | API keys, passwords |
MEDIUM Certainty issues:
| Pattern | Risk |
|---|---|
| Broad file access | Data exfiltration |
| Missing input validation | Injection attacks |
| No timeout on tools | Resource exhaustion |
Input validation required:
// Validate before execution
function validateToolInput(params, schema) {
// Type validation
// Range validation (min/max)
// Enum validation
// Format validation (regex patterns)
}
Tools should return structured errors:
{
"type": "tool_result",
"tool_use_id": "id",
"content": "Error: [TYPE]. [WHAT]. [SUGGESTION].",
"is_error": true
}
Retry guidance:
"Less-is-More" approach:
| Issue | Fix |
|---|---|
Missing additionalProperties | Add "additionalProperties": false |
Missing required | Add all properties to required array |
| Version mismatch | Sync plugin.json with package.json |
## Plugin Analysis: {name}
**Files scanned**: {count}
| Certainty | Count |
|-----------|-------|
| HIGH | {n} |
| MEDIUM | {n} |
### Tool Schema Issues
| Tool | Issue | Fix | Certainty |
### Structure Issues
| File | Issue | Certainty |
### Security Issues
| File | Line | Issue | Certainty |
| Category | Patterns | Certainty |
|---|---|---|
| Tool Schema | 5 | HIGH |
| Descriptions | 2 | HIGH |
| Schema Structure | 4 | MEDIUM |
| Plugin Structure | 3 | HIGH |
| MCP Patterns | 2 | MEDIUM |
| Security | 6 | HIGH/MEDIUM |
| Error Handling | 2 | MEDIUM |
| Tool Count | 1 | LOW |
| Total | 25 | - |
<bad_example>
"description": "Search for things"
</bad_example> <good_example>
"description": "Search product catalog by keyword. Use for inventory or price queries. Returns products with prices."
</good_example>
<bad_example>
tools: Read, Bash # Unrestricted
</bad_example> <good_example>
tools: Read, Bash(git:*) # Scoped
</good_example> </examples>
agent-docs/FUNCTION-CALLING-TOOL-USE-REFERENCE.md - Tool schema, descriptions, securityagent-docs/CLAUDE-CODE-REFERENCE.md - Plugin structure, MCP configagent-docs/OPENCODE-REFERENCE.md - OpenCode MCP integrationagent-docs/CODEX-REFERENCE.md - Codex MCP configYou MUST use this before any creative work - creating features, building components, adding functionality, or modifying behavior. Explores user intent, requirements and design before implementation.