home / skills / git-fg / thecattoolkit / auditing-plugins

auditing-plugins skill

safe

/plugins/sys-core/skills/auditing-plugins

This skill audits plugins for marketplace compliance, identifying critical and major issues and guiding refactor and validation steps.

npx playbooks add skill git-fg/thecattoolkit --skill auditing-plugins

Review the files below or copy the command above to add this skill to your agents.

Files (6)

SKILL.md

4.6 KB

---
name: auditing-plugins
description: "Comprehensive plugin auditing for compliance with marketplace best practices. MUST Use when validating, refactoring, or improving plugin quality. Do not use for creating new plugins, scaffolding components, or development tasks."
allowed-tools: [Read, Grep, Glob, Bash]
---

# Plugin Audit Protocol



### 2. Issue Detection & Classification

**Critical Issues (Fix Immediately):**
- Unrestricted Bash permissions in Agents
- Missing `disable-model-invocation` in Commands (if marketplace requires)
- Hardcoded paths between Skills (no deep linking)
- Missing frontmatter fields (name, description)

**Major Issues (Fix Soon):**
- SKILL.md files exceeding marketplace size limits without progressive disclosure
- Commands with embedded logic (not simple wrappers)
- Inconsistent naming conventions
- Missing reference links

**Minor Issues (Fix When Convenient):**
- Typos in descriptions
- Inconsistent formatting
- Missing optional metadata fields

### 3. Audit Process

1. **Discover Marketplace Guidelines**
   - Read marketplace README or documentation
   - Identify specific standards and patterns
   - Understand validation requirements
   - Note marketplace-specific naming conventions

2. **Scan Frontmatter**
   - Validate name, description fields
   - Check tool permissions and whitelists
   - Verify frontmatter structure per marketplace standards

3. **Analyze Architecture**
   - Identify Skills without progressive disclosure
   - Check for deep linking between Skills
   - Verify Command wrapper patterns
   - Compare against marketplace patterns

4. **Security Review**
   - Scan for unrestricted permissions
   - Validate tool usage per marketplace security model
   - Check for forbidden patterns in marketplace docs

5. **Compliance Check**
   - Run marketplace's validation tools
   - Review all validation errors and warnings
   - Prioritize fixes by severity
   - Cross-reference with marketplace checklist

## Audit Methodology

### Step 1: Marketplace Discovery
Before auditing, gather marketplace context:

```
1. Read: MARKETPLACE_README.md or docs/ directory
2. Identify: Marketplace-specific standards document
3. Note: Naming conventions and patterns
4. Understand: Validation tools and processes
5. Check: Example plugins for reference
```

### Step 2: Pattern Recognition
Adapt your audit to marketplace conventions:

- **Description Patterns:** Some marketplaces use Standard pattern, others Enhanced
- **File Organization:** Check if marketplace has specific directory structure requirements
- **Validation Tools:** Identify and use marketplace-specific validators
- **Size Limits:** Note SKILL.md line count limits per marketplace standards

### Step 3: Comprehensive Scan
Apply marketplace-validated standards:

```
1. Frontmatter validation (name, description, required fields)
2. Permission model validation (per marketplace security model)
3. Architecture compliance (progressive disclosure, wrapper patterns)
4. Reference integrity (all links valid)
5. Marketplace-specific requirements
```

### Step 4: Issue Prioritization
Classify issues by marketplace impact:

- **Critical:** Breaks marketplace requirements or security
- **Major:** Violates marketplace best practices
- **Minor:** Cosmetic or style issues

## Output Format

**For Each Issue:**
```
## [SEVERITY] Issue Name
**Location:** file_path
**Description:** What is wrong
**Marketplace Impact:** How this affects marketplace compliance
**Fix:** Specific steps to resolve
**Reference:** Marketplace documentation section
```

**Summary:**
```
## Audit Summary
- Total Issues: N
- Critical: N
- Major: N
- Minor: N
- Files Audited: N
- Marketplace Guidelines Applied: [list]
- Validation Tools Used: [list]
```

## Reference Resources

- **See:** [checklist.md](references/checklist.md) - Adaptable validation checklist template
- **See:** [patterns.md](references/patterns.md) - Common anti-patterns and fixes
- **See:** [marketplace-customization.md](references/marketplace-customization.md) - How to adapt to different marketplaces
- **See:** [security.md](references/security.md) - Security best practices
- **See:** [compliance.md](references/compliance.md) - Compliance framework

## Marketplace Adaptation

Each marketplace may have unique requirements:

- **Documentation Location:** Some put guidelines in README.md, others in docs/ directory
- **Validation Tools:** Different marketplaces use different validators
- **Patterns:** Some require Standard descriptions, others Enhanced
- **File Organization:** Directory structure may vary
- **Size Limits:** SKILL.md limits may differ

Always adapt your audit process to the specific marketplace you're working with.

Overview

This skill performs comprehensive plugin audits to ensure compliance with marketplace best practices. It is designed for validating, refactoring, and improving existing plugin quality and security. Do not use this skill to create new plugins, scaffold components, or perform development tasks.

How this skill works

The skill scans plugin metadata, command patterns, permissions, and architecture against marketplace-specific guidelines. It detects and classifies issues by severity (critical, major, minor), runs security and compliance checks, and produces actionable reports with prioritized fixes and references to the applied marketplace rules. Outputs follow a consistent issue template so fixes can be tracked and implemented easily.

When to use it

Validating an existing plugin before submission to a marketplace
Refactoring plugins to meet updated marketplace requirements
Performing a security review focused on permissions and tool usage
Prioritizing remediation work by severity for quality teams
Checking documentation and metadata completeness for compliance

Best practices

Gather and read the target marketplace’s official documentation and validator tools before auditing
Validate frontmatter metadata fields (name, description, permissions) early in the scan
Prioritize fixes: address critical security and compliance issues first
Verify command patterns are simple wrappers and avoid embedding business logic in commands
Ensure progressive disclosure and avoid hardcoded inter-plugin paths or deep linking
Cross-reference every reported issue with the marketplace section that mandates the rule

Example use cases

Pre-submission compliance audit to catch blockers early
Security review to detect unrestricted shell or tool permissions in agents
Quality improvement pass to align naming conventions, formatting, and metadata
Refactor planning: identify where commands should be simplified into wrappers
Compliance verification after adopting a new marketplace validation tool

FAQ

Will this audit create or modify plugin code for me?

No. The skill analyzes and reports issues and remediation steps; developers must implement fixes in the codebase.

What kinds of issues are treated as critical?

Critical issues include unrestricted shell or agent permissions, missing required disablement flags for model invocation, hardcoded cross-plugin paths, and missing essential metadata fields.

Can this adapt to different marketplaces?

Yes. The audit process begins by discovering marketplace-specific rules and validators, and then applies adapted patterns, size limits, and naming conventions relevant to that marketplace.