From claude-ecosystem
Audits Claude Code hooks for config validity, script structure, matchers, env vars, decisions, and tests. Run after hook creation, before releases, or for periodic checks.
npx claudepluginhub melodic-software/claude-code-plugins --plugin claude-ecosystemThis skill is limited to using the following tools:
Audit Claude Code hooks for quality, compliance, and maintainability.
Manages Claude Code repository hooks for adding, configuring, troubleshooting, enabling/disabling, and enforcing rules. Delegates to docs-management for official documentation.
Evaluates security, performance, and SDK compliance of Claude Code hooks for plugins, projects, and global scopes. Use for auditing JSON-based and Python SDK hooks.
Guides writing secure, reliable, performant Claude Code hooks. Validates design decisions, enforces best practices, prevents pitfalls when creating, reviewing, or debugging hooks.
Share bugs, ideas, or general feedback.
Audit Claude Code hooks for quality, compliance, and maintainability.
Before auditing, initialize the environment:
Get the current UTC date, capture the project root path, ensure the temp directory exists, and clean up any stale audit files if the user confirms. The hook-management skill provides authoritative validation guidance (auto-loaded when this command runs).
| Argument | Description |
|---|---|
| (none) | Smart mode: audit only modified, never-audited, or stale (>90 days) hooks |
--force | Audit ALL hooks regardless of status |
--skip-validation | Skip finding validation (faster, but may include false positives) |
--plugin-only | Only audit local plugin hooks |
--project-only | Only audit project hooks (.claude/hooks/) |
--global-only | Only audit globally installed plugin hooks |
hook-name | Audit specific hook(s) by name |
plugin:name | Explicitly target plugin hook |
Detect all hook sources in local repo and globally installed plugins.
For local discovery, check marketplace repos, single plugin repos, and .claude/hooks/. Track plugin names for deduplication.
For global discovery, check ~/.claude/plugins/ (Unix) or %USERPROFILE%\.claude\plugins\ (Windows). Skip globals that have local dev versions.
Parse flags and hook names. Read audit logs for each source.
Display mode, sources discovered, deduplication status, and audit queue.
For each hook, spawn the hook-auditor subagent with source, path, and last audit date. Run in parallel batches of 3-5.
Subagents write findings to .claude/temp/. The main conversation thread collects results and updates audit logs using its Write/Edit tools.
Unless --skip-validation flag is present:
audit-finding-validator agent with:
project_root: The captured project root pathaudit_type: "hook"audit_files: List of .claude/temp/audit-*-hook-*.json file paths.claude/temp/audit-filtered-findings.jsonIf --skip-validation flag is present:
Report total audited by source, results, and details table. Note that global hook fixes must be applied manually.
Include validation statistics (if validation was performed):
Local dev repo plugins take precedence over globally installed versions. Global hooks are read-only - report findings but recommend manual fixes.
| Platform | Global Plugins |
|---|---|
| Unix | ~/.claude/plugins/ |
| Windows | %USERPROFILE%\.claude\plugins\ |
All audit results are written to .claude/audit/hooks.md.
Use /audit-log hooks to view current audit status.
User: /audit-hooks
Claude: Discovering hook sources...
## Audit Plan
**Mode**: SMART
- Plugin: claude-ecosystem (4 hooks)
- Local: .claude/hooks/ (2 hooks)
- Deduplicated: claude-ecosystem (global skipped)
**Will audit**: 3 hooks
[Spawns hook-auditor subagents]
## Audit Complete
| Source | Hook | Result | Score |
| --- | --- | --- | --- |
| plugin | prevent-backup-files | PASS | 100/100 |
User: /audit-hooks plugin:prevent-backup-files
Claude: PASS (Score: 100/100)