Use this skill when the user asks to review the security of plugins, scan plugins for vulnerabilities, or audit installed plugins. Also suggest this skill when you notice a new plugin has been added.
Scans installed Claude Code plugins for security vulnerabilities using parallel subagent reviews.
/plugin marketplace add hibukki/yonatans-cc-marketplace/plugin install quick-review@yonatans-cc-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Review installed Claude Code plugins for security issues by launching parallel subagent scans.
Read ~/.claude/settings.json and look at the enabledPlugins object. Each entry has the format:
"plugin-name@marketplace-name": true/false
Only consider plugins where the value is true (enabled). If the file doesn't exist or enabledPlugins is missing, inform the user no plugins are installed.
Plugin source code is cached at:
~/.claude/plugins/cache/{marketplace-name}/{plugin-name}/
For example, hookify@claude-plugins-official would be at:
~/.claude/plugins/cache/claude-plugins-official/hookify/
Note: Local/dev plugins may have different paths (e.g., a local directory the user is developing in). If a plugin isn't found in the cache, ask the user for its path.
For each plugin to scan (or a subset if user specified), launch a subagent using the Task tool:
subagent_type: "general-purpose"run_in_background: true so scans run asynchronouslyPrompt template for each subagent:
Security review the Claude Code plugin at: {plugin_path}
Prioritize scanning executable code files (.js, .ts, .sh, .py, hooks/, commands/, agents/) over docs and assets.
Look for:
1. **Command injection risks** - Shell commands built from user input, unsafe exec/spawn calls
2. **Data exfiltration** - Suspicious network calls, sending data to external servers
3. **File system abuse** - Reading/writing sensitive paths (~/.ssh, ~/.aws, credentials files)
4. **Privilege escalation** - Attempts to modify system files or gain elevated access
5. **Obfuscated code** - Base64 encoded strings, eval(), minified code hiding malicious intent
6. **Hook abuse** - Hooks that silently modify behavior or intercept sensitive data
7. **Dependency risks** - Suspicious npm/pip packages, pinned to specific vulnerable versions
8. **Sandbox bypass** - Use of `dangerouslyDisableSandbox: true` in hook scripts or commands
For each finding, report:
- Severity: Critical / High / Medium / Low
- File and line number
- Description of the risk
- Code snippet if relevant
If no issues found, state that the plugin appears safe.
After all subagents complete, summarize:
enabledPlugins → false), report to marketplace maintainerUser: "Review my installed plugins for security issues"
Action:
User: "Scan only the hookify plugin"
Action:
When you see a user install a new plugin (e.g., via /plugins install command output), say:
"I notice you've added a new plugin. Would you like me to run a security review on it? You can use
/plugins-security-reviewto scan installed plugins."
This skill should be used when the user asks to "create a hookify rule", "write a hook rule", "configure hookify", "add a hookify rule", or needs guidance on hookify rule syntax and patterns.
Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.