intent-solutions-io/Plugin Auditor
010-archive/backups-20251108/plugin-enhancements/plugin-backups/skills-powerkit_20251019_164014/skills/plugin-auditor/SKILL.md
Automatically audits Claude Code plugins for security vulnerabilities, best practices, CLAUDE.md compliance, and quality standards when user mentions audit plugin, security review, or best practices check. Specific to claude-code-plugins repository standards.
$ install --global
skillsauthnpx skillsauth add intent-solutions-io/plugins-nixtla Plugin AuditorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 11:46 PM5.5s1 file scanned
SKILL.md
- name:
- Plugin Auditor
- description:
- Automatically audits Claude Code plugins for security vulnerabilities, best practices, CLAUDE.md compliance, and quality standards when user mentions audit plugin, security review, or best practices check. Specific to claude-code-plugins repository standards.
- allowed-tools:
- Read, Grep, Bash
Plugin Auditor
Purpose
Automatically audits Claude Code plugins for security vulnerabilities, best practice violations, CLAUDE.md compliance, and quality standards - optimized for claude-code-plugins repository requirements.
Trigger Keywords
- "audit plugin"
- "security review" or "security audit"
- "best practices check"
- "plugin quality"
- "compliance check"
- "plugin security"
Audit Categories
1. Security Audit
Critical Checks:
- ❌ No hardcoded secrets (passwords, API keys, tokens)
- ❌ No AWS keys (AKIA...)
- ❌ No private keys (BEGIN PRIVATE KEY)
- ❌ No dangerous commands (rm -rf /, eval(), exec())
- ❌ No command injection vectors
- ❌ No suspicious URLs (IP addresses, non-HTTPS)
- ❌ No obfuscated code (base64 decode, hex encoding)
Security Patterns:
# Check for hardcoded secrets
grep -r "password\s*=\s*['\"]" --exclude-dir=node_modules
grep -r "api_key\s*=\s*['\"]" --exclude-dir=node_modules
grep -r "secret\s*=\s*['\"]" --exclude-dir=node_modules
# Check for AWS keys
grep -r "AKIA[0-9A-Z]{16}" --exclude=README.md
# Check for private keys
grep -r "BEGIN.*PRIVATE KEY" --exclude=README.md
# Check for dangerous patterns
grep -r "rm -rf /" | grep -v "/var/" | grep -v "/tmp/"
grep -r "eval\s*\(" --exclude=README.md
2. Best Practices Audit
Plugin Structure:
- ✅ Proper directory hierarchy
- ✅ Required files present
- ✅ Semantic versioning (x.y.z)
- ✅ Clear, concise descriptions
- ✅ Proper LICENSE file (MIT/Apache-2.0)
- ✅ Comprehensive README
- ✅ At least 5 keywords
Code Quality:
- ✅ No TODO/FIXME without issue links
- ✅ No console.log() in production code
- ✅ No hardcoded paths (/home/, /Users/)
- ✅ Uses
${CLAUDE_PLUGIN_ROOT}in hooks - ✅ Scripts have proper shebangs
- ✅ All scripts are executable
Documentation:
- ✅ README has installation section
- ✅ README has usage examples
- ✅ README has clear description
- ✅ Commands have proper frontmatter
- ✅ Agents have model specified
- ✅ Skills have trigger keywords
3. CLAUDE.md Compliance
Repository Standards:
- ✅ Follows plugin structure from CLAUDE.md
- ✅ Uses correct marketplace slug
- ✅ Proper category assignment
- ✅ Valid plugin.json schema
- ✅ Marketplace catalog entry exists
- ✅ Version consistency
Skills Compliance (if applicable):
- ✅ SKILL.md has proper frontmatter
- ✅ Description includes trigger keywords
- ✅ allowed-tools specified (if restricted)
- ✅ Clear purpose and instructions
- ✅ Examples provided
4. Marketplace Compliance
Catalog Requirements:
- ✅ Plugin listed in marketplace.extended.json
- ✅ Source path matches actual location
- ✅ Version matches plugin.json
- ✅ Category is valid
- ✅ No duplicate plugin names
- ✅ Author information complete
5. Git Hygiene
Repository Practices:
- ✅ No large binary files
- ✅ No node_modules/ committed
- ✅ No .env files
- ✅ Proper .gitignore
- ✅ No merge conflicts
- ✅ Clean commit history
6. MCP Plugin Audit (if applicable)
MCP-Specific Checks:
- ✅ Valid package.json with @modelcontextprotocol/sdk
- ✅ TypeScript configured correctly
- ✅ dist/ in .gitignore
- ✅ Proper mcp/*.json configuration
- ✅ Build scripts present
- ✅ No dependency vulnerabilities
7. Performance Audit
Efficiency Checks:
- ✅ No unnecessary file reads
- ✅ Efficient glob patterns
- ✅ No recursive loops
- ✅ Reasonable timeout values
- ✅ No memory leaks (event listeners)
8. Accessibility & UX
User Experience:
- ✅ Clear error messages
- ✅ Helpful command descriptions
- ✅ Proper usage examples
- ✅ Good README formatting
- ✅ Working demo commands
Audit Process
When activated, I will:
-
Security Scan
# Run security checks grep -r "password\|secret\|api_key" plugins/plugin-name/ grep -r "AKIA[0-9A-Z]{16}" plugins/plugin-name/ grep -r "BEGIN.*PRIVATE KEY" plugins/plugin-name/ grep -r "rm -rf /" plugins/plugin-name/ grep -r "eval\(" plugins/plugin-name/ -
Structure Validation
# Check required files test -f .claude-plugin/plugin.json test -f README.md test -f LICENSE # Check component directories ls -d commands/ agents/ skills/ hooks/ mcp/ 2>/dev/null -
Best Practices Check
# Check for TODO/FIXME grep -r "TODO\|FIXME" --exclude=README.md # Check for console.log grep -r "console\.log" --exclude=README.md # Check script permissions find . -name "*.sh" ! -perm -u+x -
Compliance Verification
# Check marketplace entry jq '.plugins[] | select(.name == "plugin-name")' .claude-plugin/marketplace.extended.json # Verify version consistency plugin_version=$(jq -r '.version' .claude-plugin/plugin.json) market_version=$(jq -r '.plugins[] | select(.name == "plugin-name") | .version' .claude-plugin/marketplace.extended.json) -
Generate Audit Report
Audit Report Format
🔍 PLUGIN AUDIT REPORT
Plugin: plugin-name
Version: 1.0.0
Category: security
Audit Date: 2025-10-16
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔒 SECURITY AUDIT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ PASSED (7/7)
- No hardcoded secrets
- No AWS keys
- No private keys
- No dangerous commands
- No command injection vectors
- HTTPS URLs only
- No obfuscated code
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📋 BEST PRACTICES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ PASSED (10/12)
- Proper directory structure
- Required files present
- Semantic versioning
- Clear descriptions
- Comprehensive README
⚠️ WARNINGS (2)
- 3 scripts missing execute permission
Fix: chmod +x scripts/*.sh
- 2 TODO items without issue links
Location: commands/scan.md:45, agents/analyzer.md:67
Recommendation: Create GitHub issues or remove TODOs
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ CLAUDE.MD COMPLIANCE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ PASSED (6/6)
- Follows plugin structure
- Uses correct marketplace slug
- Proper category assignment
- Valid plugin.json schema
- Marketplace entry exists
- Version consistency
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 QUALITY SCORE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Security: 10/10 ✅
Best Practices: 8/10 ⚠️
Compliance: 10/10 ✅
Documentation: 10/10 ✅
OVERALL SCORE: 9.5/10 (EXCELLENT)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🎯 RECOMMENDATIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Priority: MEDIUM
1. Fix script permissions (2 min)
2. Resolve TODO items (10 min)
Optional Improvements:
- Add more usage examples in README
- Include troubleshooting section
- Add GIF/video demo
✅ AUDIT COMPLETE
Plugin is production-ready with minor improvements needed.
Severity Levels
Critical (🔴):
- Security vulnerabilities
- Hardcoded secrets
- Dangerous commands
- Missing required files
High (🟠):
- Best practice violations
- Missing documentation
- Broken functionality
- Schema violations
Medium (🟡):
- Code quality issues
- Missing optional features
- Performance concerns
- UX improvements
Low (🟢):
- Style inconsistencies
- Minor documentation gaps
- Nice-to-have features
Auto-Fix Capabilities
I can automatically fix:
- ✅ Script permissions
- ✅ JSON formatting
- ✅ Markdown formatting
- ✅ Version sync issues
Repository-Specific Checks
For claude-code-plugins repo:
- Validates against CLAUDE.md standards
- Checks marketplace integration
- Verifies category structure
- Ensures quality for featured plugins
- Checks contributor guidelines compliance
Examples
User says: "Audit the security-scanner plugin"
I automatically:
- Run full security scan
- Check best practices
- Verify CLAUDE.md compliance
- Generate comprehensive report
- Provide recommendations
User says: "Is this plugin safe to publish?"
I automatically:
- Security audit (critical)
- Marketplace compliance
- Quality score calculation
- Publish readiness assessment
User says: "Quality review before featured status"
I automatically:
- Full audit (all categories)
- Higher quality thresholds
- Featured plugin requirements
- Recommendation: approve/reject
Related Skills
intent-solutions-io/managing-test-environments
testing
VerifiedTrustedCommunity
This skill enables Claude to manage isolated test environments using Docker Compose, Testcontainers, and environment variables. It is used to create consistent, reproducible testing environments for software projects. Claude should use this skill when the user needs to set up a test environment with specific configurations, manage Docker Compose files for test infrastructure, set up programmatic container management with Testcontainers, manage environment variables for tests, or ensure cleanup after tests. Trigger terms include "test environment", "docker compose", "testcontainers", "environment variables", "isolated environment", "env-setup", and "test setup".
6SKILL.mdUpdated Jun 5, 2026
intent-solutions-io/generating-test-doubles
tools
VerifiedTrustedCommunity
This skill uses the test-doubles-generator plugin to automatically create mocks, stubs, spies, and fakes for unit testing. It analyzes dependencies in the code and generates appropriate test doubles based on the chosen testing framework, such as Jest, Sinon, or others. Use this skill when you need to generate test doubles, mocks, stubs, spies, or fakes to isolate units of code during testing. Trigger this skill by requesting test double generation or using the `/gen-doubles` or `/gd` command.
6SKILL.mdUpdated Jun 5, 2026
intent-solutions-io/generating-test-data
tools
VerifiedTrustedCommunity
This skill enables Claude to generate realistic test data for software development. It uses the test-data-generator plugin to create users, products, orders, and custom schemas for comprehensive testing. Use this skill when you need to populate databases, simulate user behavior, or create fixtures for automated tests. Trigger phrases include "generate test data", "create fake users", "populate database", "generate product data", "create test orders", or "generate data based on schema". This skill is especially useful for populating testing environments or creating sample data for demonstrations.
6SKILL.mdUpdated Jun 5, 2026
intent-solutions-io/analyzing-test-coverage
development
VerifiedTrustedCommunity
This skill analyzes code coverage metrics to identify untested code and generate comprehensive coverage reports. It is triggered when the user requests analysis of code coverage, identification of coverage gaps, or generation of coverage reports. The skill is best used to improve code quality by ensuring adequate test coverage and identifying areas for improvement. Use trigger terms like "analyze coverage", "code coverage report", "untested code", or the shortcut "cov".
6SKILL.mdUpdated Jun 5, 2026