Skill

plugin-auditor

Audits Claude Code plugins for security vulnerabilities, best practices, CLAUDE.md compliance, marketplace readiness, git hygiene, performance, and UX. Produces scored reports using scans for secrets, dangerous commands, and structure validation.

Bash

Git

security

code-quality

npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills

Popularity

Parent stars

2,203

Parent forks

296

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/jeremy-plugin-tool:plugin-auditor

User invocable

Model invocable

Inline context

Default effort

Tool Access

This skill is limited to the following tools:

ReadGrepBash(cmd:*)

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Audits Claude Code plugins for security vulnerabilities, best practices compliance, CLAUDE.md standards adherence, and marketplace readiness. Produces a scored audit report covering eight categories: security, best practices, CLAUDE.md compliance, marketplace compliance, git hygiene, MCP-specific checks, performance, and UX.

Supporting Files

assets/README.mdreferences/ARD.mdreferences/PRD.mdreferences/README.mdreferences/audit-categories.mdreferences/audit-process.mdreferences/audit-report-format.mdreferences/errors.mdreferences/examples.mdscripts/README.md

SKILL.md

96 lines · ~1.5k tokens

Similar Skills

audit-plugins

Audits Claude Code plugins for manifest validity, component organization, namespace compliance, documentation, and marketplace readiness before releases or periodic checks.

5 tools

claude-ecosystem

grey-haven-plugin-audit

Audits Claude Code plugins for structure validation, frontmatter quality, deprecations, feature adoption, security patterns, and documentation. Ensures changelog compatibility and best practices for releases.

5 files5 tools

plugin-auditor

plugin-validator

2.2k

Validates Claude Code plugin structure, JSON schemas, frontmatter format, security compliance, and marketplace catalog consistency. Triggers on 'validate plugin', 'check plugin', or 'verify' to run CI checks before commit.

10 files3 tools

jeremy-plugin-tool

Stats

LanguagePython

Parent stars2,203

Parent forks296

MaintenanceExcellent

Last CommitApr 30, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

Plugin Auditor

Overview

Prerequisites

Read access to the target plugin directory and repository-level .claude-plugin/marketplace.extended.json
jq installed for JSON schema validation
grep and find available on PATH for pattern scanning
Familiarity with the plugin structure defined in CLAUDE.md (.claude-plugin/plugin.json, README.md, LICENSE, component directories)

Instructions

Identify the target plugin path (e.g., plugins/security/plugin-name/). Confirm the directory exists and contains .claude-plugin/plugin.json.
Run a security scan across all plugin files (see ${CLAUDE_SKILL_DIR}/references/audit-categories.md for full pattern list):
- Search for hardcoded secrets, API keys, AWS access keys (AKIA...), and private key headers.
- Detect dangerous commands (rm -rf /, eval(), exec()) and command injection vectors.
- Flag suspicious URLs (non-HTTPS, raw IP addresses) and obfuscated code (base64 decode, hex encoding).
Validate plugin structure and best practices (see ${CLAUDE_SKILL_DIR}/references/audit-process.md):
- Confirm required files exist: plugin.json, README.md, LICENSE.
- Verify semantic versioning format in plugin.json.
- Check that all .sh scripts have execute permissions.
- Scan for TODO/TODO comments without linked issues and console.log() in production code.
Check CLAUDE.md compliance:
- Verify the plugin follows the directory structure specified in the repository CLAUDE.md.
- Confirm plugin.json contains only allowed fields (name, version, description, author, repository, homepage, license, keywords).
- Validate that hooks use ${CLAUDE_PLUGIN_ROOT} instead of hardcoded paths.
Verify marketplace compliance:
- Confirm the plugin has an entry in marketplace.extended.json with matching name, version, category, and source path.
- Check for duplicate plugin names in the catalog.
Assess git hygiene: no committed node_modules/, .env files, large binaries, or merge conflict markers.
For MCP plugins: validate package.json dependencies, TypeScript configuration, dist/ in .gitignore, and build scripts.
Generate a scored audit report following the format in ${CLAUDE_SKILL_DIR}/references/audit-report-format.md, with per-category scores out of 10 and an overall quality rating.

Output

A structured audit report containing:

Plugin identification (name, version, category, audit date)
Per-category results: passed checks, failed checks with fix commands, warnings with recommendations
Numeric quality scores: Security (x/10), Best Practices (x/10), Compliance (x/10), Documentation (x/10)
Overall score and rating (Excellent / Good / Needs Work / Failed)
Prioritized recommendations list with estimated fix time

Error Handling

Error	Cause	Solution
Plugin directory not found	Incorrect path or plugin does not exist	Verify the path matches `plugins/[category]/[name]/` structure
`plugin.json` missing or invalid	File absent or malformed JSON	Create from template or fix JSON syntax with `jq empty .claude-plugin/plugin.json`
Marketplace entry missing	Plugin not yet added to catalog	Add entry to `marketplace.extended.json` and run `pnpm run sync-marketplace`
Version mismatch detected	`plugin.json` and `marketplace.extended.json` carry different versions	Update the stale file to match the authoritative version
Permission denied during scan	Restricted file access	Request read permissions on the plugin directory tree

Examples

Full audit before publishing: Trigger: "Audit the security-scanner plugin." Process: Run all eight audit categories against plugins/security/security-scanner/. Generate a comprehensive report with per-category scores. Report overall rating and prioritized fix list (see ${CLAUDE_SKILL_DIR}/references/examples.md).

Publish readiness check: Trigger: "Is this plugin safe to publish?" Process: Prioritize security audit (critical), then marketplace compliance and quality scoring. Produce a publish readiness assessment with pass/fail verdict.

Featured status review: Trigger: "Quality review before featured status." Process: Run full audit with elevated quality thresholds. Apply featured plugin requirements (higher documentation and test coverage standards). Recommend approve or reject.

Resources

${CLAUDE_SKILL_DIR}/references/audit-categories.md -- all eight audit categories with specific checks
${CLAUDE_SKILL_DIR}/references/audit-process.md -- step-by-step audit execution procedures
${CLAUDE_SKILL_DIR}/references/audit-report-format.md -- report template with scoring rubric
${CLAUDE_SKILL_DIR}/references/examples.md -- audit scenario walkthroughs
${CLAUDE_SKILL_DIR}/references/errors.md -- error handling patterns

plugin-auditor

Popularity

Invocation

Tool Access

Context Preview

Supporting Files

SKILL.md

Similar Skills

Help us improve

Help us improve

Find plugins for your project

plugin-auditor

Popularity

Invocation

Tool Access

Context Preview

Supporting Files

SKILL.md

Plugin Auditor

Overview

Prerequisites

Instructions

Output

Error Handling

Examples

Resources

Similar Skills

Help us improve

Plugin Auditor

Overview

Prerequisites

Instructions

Output

Error Handling

Examples

Resources