lidge-jun/plankton-code-quality
plankton-code-quality/SKILL.md
Write-time code quality enforcement using Plankton — auto-formatting, linting, and agent-powered fixes on every file edit via hooks.
$ install --global
skillsauthnpx skillsauth add lidge-jun/cli-jaw-skills plankton-code-qualityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 10:49 AM122.2s1 file scanned
SKILL.md
- name:
- plankton-code-quality
- description:
- Write-time code quality enforcement using Plankton — auto-formatting, linting, and agent-powered fixes on every file edit via hooks.
Plankton Code Quality
Integration reference for Plankton (credit: @alxfazio), a write-time code quality enforcement system. Plankton runs formatters and linters on every file edit via PostToolUse hooks, then spawns agent subprocesses to fix violations.
When to Use
- Automatic formatting and linting on every file edit (not just at commit time)
- Defense against agents modifying linter configs to pass instead of fixing code
- Tiered model routing for fixes (light model for style, standard for logic, advanced for types)
- Multi-language projects (Python, TypeScript, Shell, YAML, JSON, TOML, Markdown, Dockerfile)
Three-Phase Architecture
Every time an agent edits or writes a file, Plankton's multi_linter.sh PostToolUse hook runs:
Phase 1: Auto-Format (Silent)
├─ Runs formatters (ruff format, biome, shfmt, taplo, markdownlint)
├─ Fixes 40–50% of issues silently
└─ No output to main agent
Phase 2: Collect Violations (JSON)
├─ Runs linters and collects unfixable violations
├─ Returns structured JSON: {line, column, code, message, linter}
└─ Still no output to main agent
Phase 3: Delegate + Verify
├─ Spawns subprocess with violations JSON
├─ Routes to model tier based on violation complexity:
│ ├─ Light: formatting, imports, style — 120s timeout
│ ├─ Standard: complexity, refactoring — 300s timeout
│ └─ Advanced: type system, deep reasoning — 600s timeout
├─ Re-runs Phase 1+2 to verify fixes
└─ Exit 0 if clean, Exit 2 if violations remain (reported to main agent)
What the Main Agent Sees
| Scenario | Agent sees | Hook exit |
|----------|-----------|-----------|
| No violations | Nothing | 0 |
| All fixed by subprocess | Nothing | 0 |
| Violations remain after subprocess | [hook] N violation(s) remain | 2 |
| Advisory (duplicates, old tooling) | [hook:advisory] ... | 0 |
Most quality problems are resolved transparently.
Config Protection
Agents may modify linter configs to disable rules rather than fix code. Plankton blocks this with:
- PreToolUse hook —
protect_linter_configs.shblocks edits to linter configs before they happen - Stop hook —
stop_config_guardian.shdetects config changes viagit diffat session end - Protected files —
.ruff.toml,biome.json,.shellcheckrc,.yamllint,.hadolint.yaml, etc.
Package Manager Enforcement
A PreToolUse hook on Bash blocks legacy package managers:
pip,pip3,poetry,pipenv→ blocked (useuv)npm,yarn,pnpm→ blocked (usebun)- Exceptions:
npm audit,npm view,npm publish
Setup
# Clone Plankton (credit: @alxfazio)
git clone https://github.com/alexfazio/plankton.git
cd plankton
# Install core dependencies
brew install jaq ruff uv
# Install Python linters
uv sync --all-extras
Hooks in .claude/settings.json activate automatically.
Per-Project Integration
- Copy
.claude/hooks/directory to your project - Copy
.claude/settings.jsonhook configuration - Copy linter config files (
.ruff.toml,biome.json, etc.) - Install the linters for your languages
Language Dependencies
| Language | Required | Optional |
|----------|----------|----------|
| Python | ruff, uv | ty (types), vulture (dead code), bandit (security) |
| TypeScript/JS | biome | oxlint, semgrep, knip (dead exports) |
| Shell | shellcheck, shfmt | — |
| YAML | yamllint | — |
| Markdown | markdownlint-cli2 | — |
| Dockerfile | hadolint (≥ 2.12.0) | — |
| TOML | taplo | — |
| JSON | jaq | — |
Configuration Reference
Plankton's .claude/hooks/config.json controls all behavior:
{
"languages": {
"python": true,
"shell": true,
"yaml": true,
"json": true,
"toml": true,
"dockerfile": true,
"markdown": true,
"typescript": {
"enabled": true,
"js_runtime": "auto",
"biome_nursery": "warn",
"semgrep": true
}
},
"phases": {
"auto_format": true,
"subprocess_delegation": true
},
"subprocess": {
"tiers": {
"light": { "timeout": 120, "max_turns": 10 },
"standard": { "timeout": 300, "max_turns": 10 },
"advanced": { "timeout": 600, "max_turns": 15 }
},
"volume_threshold": 5
}
}
Key settings:
- Disable unused languages to speed up hooks
volume_threshold— violations above this count auto-escalate to a higher model tiersubprocess_delegation: false— skip Phase 3, just report violations
Environment Overrides
| Variable | Purpose |
|----------|---------|
| HOOK_SKIP_SUBPROCESS=1 | Skip Phase 3, report violations directly |
| HOOK_SUBPROCESS_TIMEOUT=N | Override tier timeout |
| HOOK_DEBUG_MODEL=1 | Log model selection decisions |
| HOOK_SKIP_PM=1 | Bypass package manager enforcement |
References
- Plankton (credit: @alxfazio)
Related Skills
lidge-jun/goal
development
VerifiedTrustedCommunity
Goal execution guidelines with PABCD integration, verification tiers, documentation workflow, and AI-driven planning
4SKILL.mdUpdated Jun 5, 2026
lidge-jun/xurl
tools
VerifiedTrustedCommunity
A CLI tool for making authenticated requests to the X (Twitter) API. Use this skill when you need to post tweets, reply, quote, search, read posts, manage followers, send DMs, upload media, or interact with any X API v2 endpoint.
4SKILL.mdUpdated May 7, 2026
lidge-jun/xlsx_original
development
VerifiedTrustedCommunity
Use this skill any time a spreadsheet file is the primary input or output (.xlsx, .xlsm, .csv, .tsv). This includes: creating, reading, editing, analyzing, or formatting spreadsheets; cleaning messy tabular data; converting between formats; and data visualization with charts. Also use for pandas-based data analysis when the deliverable is a spreadsheet. Do NOT trigger when the primary deliverable is a Word document, HTML report, standalone Python script, database pipeline, or Google Sheets API integration.
4SKILL.mdUpdated May 6, 2026
lidge-jun/officecli-financial-model
tools
VerifiedTrustedCommunity
Use this skill when the user wants to build a financial model, 3-statement model, DCF valuation, cap table, scenario analysis, or financial projections in Excel. Trigger on: 'financial model', '3-statement model', 'DCF', 'cap table', 'pro forma', 'projections', 'sensitivity analysis', 'waterfall', 'debt schedule', 'break-even', 'discounted cash flow', 'capitalization table', 'fundraising model', 'WACC calculation', 'scenario analysis model'. Input is a text prompt with assumptions. Output is a single .xlsx file with formula-driven, interconnected statement sheets.
4SKILL.mdUpdated May 6, 2026