home / skills / jeremylongshore / claude-code-plugins-plus-skills / plugin-auditor

plugin-auditor skill

needs review

/plugins/examples/jeremy-plugin-tool/skills/plugin-auditor

This skill audits AI assistant code plugins for security, best practices, and quality, applying automated reviews and compliance checks.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill plugin-auditor

Review the files below or copy the command above to add this skill to your agents.

Files (9)

SKILL.md

1.2 KB

---
name: plugin-auditor
description: |
  Audit automatically audits AI assistant code plugins for security vulnerabilities, best practices, AI assistant.md compliance, and quality standards when user mentions audit plugin, security review, or best practices check. specific to AI assistant-code-plugins repositor... Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.
allowed-tools: Read, Grep, Bash(cmd:*)
version: 1.0.0
author: Jeremy Longshore <[email protected]>
license: MIT
---

# Plugin Auditor

## Overview

This skill provides automated assistance for the described functionality.

## Prerequisites

- Appropriate file access permissions
- Required dependencies installed

## Instructions

1. Invoke this skill when the trigger conditions are met
2. Provide necessary context and parameters
3. Review the generated output
4. Apply modifications as needed

## Output

The skill produces structured output relevant to the task.

## Error Handling

See `{baseDir}/references/errors.md` for comprehensive error handling.

## Examples

See `{baseDir}/references/examples.md` for detailed examples.

## Resources

- Project documentation
- Related skills and commands

Overview

This skill automates security and quality audits for AI assistant code plugins, focusing on vulnerabilities, best practices, and compliance with assistant guidelines. It analyzes plugin code, configuration, and metadata to produce prioritized findings and remediation steps. Use it to get fast, repeatable assessments before release or marketplace submission.

How this skill works

The auditor scans repository files, dependency manifests, and plugin manifests to detect insecure patterns, outdated libraries, and misconfigurations. It applies rule sets for security, code quality, and assistant-specific compliance, then ranks issues by severity and confidence. The output includes a structured report with reproduce steps, suggested fixes, and links to reference guidance.

When to use it

Before publishing or submitting a plugin to a marketplace
After code changes that touch permissions, authentication, or network calls
During security reviews or CI pipelines as a gating check
When performing a vulnerability triage or incident investigation
When validating adherence to assistant-specific guidelines and metadata schema

Best practices

Run the auditor in CI so findings surface early and consistently
Provide the auditor full repository context and dependency locks for accurate analysis
Prioritize fixes by severity and exploitability, not just volume of issues
Combine automated findings with a short manual review for logic and data-flow risks
Keep rule sets and dependency databases updated to catch new vulnerability patterns

Example use cases

Automated pre-release scan that fails the build on critical security issues
Periodic marketplace compliance sweep to ensure all plugins meet assistant metadata and permission standards
Developer flow: run audit locally after adding a new third-party library to detect risky transitive dependencies
Incident response: re-audit a plugin after patching to verify the fix and detect regressions
Security review for a plugin that requests broad platform permissions or external network access

FAQ

What inputs does the auditor need?

Point it at the plugin repository or provide the file set, including dependency manifests, plugin manifest, and configuration files. Access to lockfiles yields more accurate dependency checks.

Can it auto-fix issues?

The auditor generates actionable remediation steps and minimal code or config suggestions for common issues, but it does not apply fixes automatically; manual review is recommended.