From enhance
Analyzes plugin structures, MCP tools, and security patterns in Claude Code, OpenCode, and Codex against best practices. Reports issues by certainty and auto-fixes high-confidence ones with --fix.
npx claudepluginhub agent-sh/enhance --plugin enhanceThis skill uses the workspace's default tool permissions.
Analyze plugin structures, MCP tools, and security patterns against best practices.
Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.
Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.
Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.
Analyze plugin structures, MCP tools, and security patterns against best practices.
const args = '$ARGUMENTS'.split(' ').filter(Boolean);
const targetPath = args.find(a => !a.startsWith('--')) || '.';
const fix = args.includes('--fix');
| Platform | Location |
|---|---|
| Claude Code | plugins/*/, .claude-plugin/plugin.json |
| OpenCode | .opencode/plugins/, MCP in opencode.json |
| Codex | MCP in ~/.codex/config.toml |
plugins/ directoryplugin.json, agents, commands, skills--fix (HIGH certainty only)Based on function calling best practices:
Required elements:
{
"name": "verb_noun",
"description": "What it does. When to use. What it returns.",
"input_schema": {
"type": "object",
"properties": {
"param": {
"type": "string",
"description": "Format and example"
}
},
"required": ["param"],
"additionalProperties": false
}
}
The "Intern Test" - Can someone use this tool given only the description?
| Issue | Certainty | Auto-Fix |
|---|---|---|
Missing additionalProperties: false | HIGH | Yes |
Missing required array | HIGH | Yes |
| Missing tool description | HIGH | No |
| Missing param descriptions | MEDIUM | No |
Vague names (search, process) | MEDIUM | No |
Tool descriptions must include:
// Bad - vague
"description": "Search for things"
// Good - complete
"description": "Search product catalog by keyword. Use for inventory queries or price checks. Returns matching products with prices."
Parameter descriptions must include:
// Bad
"query": { "type": "string" }
// Good
"query": {
"type": "string",
"description": "Search keywords. Supports AND/OR. Example: 'laptop AND gaming'"
}
| Issue | Why It Matters |
|---|---|
| Deep nesting (>2 levels) | Reduces generation quality |
| Missing enums for constrained values | Allows invalid states |
| No min/max on numbers | Unbounded inputs |
| >20 tools per plugin | Increases error rates |
Prefer flat structures:
// Bad - nested
{ "config": { "settings": { "timeout": 30 } } }
// Good - flat
{ "timeout_seconds": 30 }
Required files:
plugin-name/
├── .claude-plugin/
│ └── plugin.json # name, version, description
├── commands/ # User-invokable commands
├── agents/ # Subagent definitions
├── skills/ # Reusable skill implementations
└── package.json # Optional, for npm plugins
plugin.json validation:
name: lowercase, kebab-caseversion: semver format (^\d+\.\d+\.\d+$)description: explains what plugin providesVersion sync: plugin.json version must match package.json if present.
For plugins exposing MCP tools:
Transport types:
stdio - Standard I/O (most common)http - HTTP/SSE transportConfiguration:
{
"mcp": {
"server-name": {
"type": "local",
"command": ["node", "path/to/server.js"],
"environment": { "KEY": "value" },
"enabled": true
}
}
}
Security principles:
HIGH Certainty issues:
| Pattern | Risk | Detection |
|---|---|---|
Unrestricted Bash | Command execution | tools:.*Bash[^(] |
| Command injection | Shell escape | \${.*} in commands |
| Path traversal | File access | \.\.\/ in paths |
| Hardcoded secrets | Credential leak | API keys, passwords |
MEDIUM Certainty issues:
| Pattern | Risk |
|---|---|
| Broad file access | Data exfiltration |
| Missing input validation | Injection attacks |
| No timeout on tools | Resource exhaustion |
Input validation required:
// Validate before execution
function validateToolInput(params, schema) {
// Type validation
// Range validation (min/max)
// Enum validation
// Format validation (regex patterns)
}
Tools should return structured errors:
{
"type": "tool_result",
"tool_use_id": "id",
"content": "Error: [TYPE]. [WHAT]. [SUGGESTION].",
"is_error": true
}
Retry guidance:
"Less-is-More" approach:
| Issue | Fix |
|---|---|
Missing additionalProperties | Add "additionalProperties": false |
Missing required | Add all properties to required array |
| Version mismatch | Sync plugin.json with package.json |
## Plugin Analysis: {name}
**Files scanned**: {count}
| Certainty | Count |
|-----------|-------|
| HIGH | {n} |
| MEDIUM | {n} |
### Tool Schema Issues
| Tool | Issue | Fix | Certainty |
### Structure Issues
| File | Issue | Certainty |
### Security Issues
| File | Line | Issue | Certainty |
| Category | Patterns | Certainty |
|---|---|---|
| Tool Schema | 5 | HIGH |
| Descriptions | 2 | HIGH |
| Schema Structure | 4 | MEDIUM |
| Plugin Structure | 3 | HIGH |
| MCP Patterns | 2 | MEDIUM |
| Security | 6 | HIGH/MEDIUM |
| Error Handling | 2 | MEDIUM |
| Tool Count | 1 | LOW |
| Total | 25 | - |
<bad_example>
"description": "Search for things"
</bad_example> <good_example>
"description": "Search product catalog by keyword. Use for inventory or price queries. Returns products with prices."
</good_example>
<bad_example>
tools: Read, Bash # Unrestricted
</bad_example> <good_example>
tools: Read, Bash(git:*) # Scoped
</good_example>
agent-docs/FUNCTION-CALLING-TOOL-USE-REFERENCE.md - Tool schema, descriptions, securityagent-docs/CLAUDE-CODE-REFERENCE.md - Plugin structure, MCP configagent-docs/OPENCODE-REFERENCE.md - OpenCode MCP integrationagent-docs/CODEX-REFERENCE.md - Codex MCP config