plugin-auditor
Audit automatically audits AI assistant code plugins for security vulnerabilities, best practices, AI assistant.md compliance, and quality standards when user mentions audit plugin, security review, or best practices check. specific to AI assistant-code-plugins repositor... Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.
79
76%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/examples/jeremy-plugin-tool/skills/plugin-auditor/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description covers both what the skill does and when to use it, with decent trigger terms. However, it suffers from a truncated repository name, some redundancy in phrasing, and the specific capabilities listed are high-level audit categories rather than concrete actions. The description is functional but could be tighter and more precise.
Suggestions
Fix the truncated text ('repositor...') to show the full repository name, ensuring the scope is unambiguous.
Replace generic audit categories with more concrete actions, e.g., 'checks for injection vulnerabilities, validates input sanitization, verifies assistant.md compliance rules' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | It names the domain (AI assistant code plugins) and lists some actions (audits for security vulnerabilities, best practices, compliance, quality standards), but the actions are somewhat generic audit categories rather than truly concrete, distinct operations like 'scans for SQL injection, checks input validation, verifies authentication flows'. | 2 / 3 |
Completeness | Clearly answers both 'what' (audits AI assistant code plugins for security vulnerabilities, best practices, compliance, quality standards) and 'when' (explicit 'Use when assessing security or running audits' clause with trigger phrases). Both components are present and explicit. | 3 / 3 |
Trigger Term Quality | Includes good natural trigger terms: 'audit plugin', 'security review', 'best practices check', 'security scan', 'audit', 'vulnerability'. These cover multiple natural phrasings a user might employ when requesting this functionality. | 3 / 3 |
Distinctiveness Conflict Risk | The description is specific to 'AI assistant-code-plugins repository' which helps narrow scope, but the truncated repository name ('repositor...') weakens clarity. Terms like 'security review' and 'audit' could overlap with general security scanning or code review skills not specific to this plugin context. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
70%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured skill with strong workflow clarity and excellent progressive disclosure through reference files. Its main weakness is that actionable details (specific grep patterns, concrete commands, executable examples) are deferred to reference files rather than having at least key examples inline, making the skill body more descriptive than executable. The content could also be slightly more concise by trimming the overview and example descriptions.
Suggestions
Include at least one concrete, executable command inline (e.g., a grep pattern for detecting hardcoded secrets) rather than deferring all specifics to reference files.
Trim the Examples section to show actual command invocations or abbreviated report output rather than describing the process abstractly.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is mostly efficient but includes some unnecessary verbosity, such as the overview section restating what the skill does (already clear from context), and the examples section describing triggers and processes at a high level without adding much actionable detail. Some tightening is possible. | 2 / 3 |
Actionability | The instructions provide a clear sequence of what to check but lack concrete executable commands or code snippets. For example, step 2 says 'search for hardcoded secrets' but doesn't provide the actual grep patterns or commands. The real actionable content is deferred to reference files rather than being inline. | 2 / 3 |
Workflow Clarity | The eight-step workflow is clearly sequenced with logical ordering (identify target → security scan → structure validation → compliance checks → report generation). The error handling table provides explicit recovery paths, and the output section defines clear deliverables with scoring criteria. | 3 / 3 |
Progressive Disclosure | Excellent use of progressive disclosure with a clear overview in the main file and well-signaled one-level-deep references to four specific reference files (audit-categories.md, audit-process.md, audit-report-format.md, examples.md). The Resources section provides clean navigation. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
c8a915c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.