plugin-auditor
Audit automatically audits AI assistant code plugins for security vulnerabilities, best practices, AI assistant.md compliance, and quality standards when user mentions audit plugin, security review, or best practices check. specific to AI assistant-code-plugins repositor... Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.
71
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/examples/jeremy-plugin-tool/skills/plugin-auditor/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description covers both what the skill does and when to use it, with decent trigger terms. However, it suffers from a truncated repository name, some redundancy in phrasing, and the specific actions could be more concrete (e.g., what specific checks or outputs). The description is functional but could be tightened and made more precise.
Suggestions
Fix the truncated repository name ('repositor...') to provide the full context, improving clarity and distinctiveness.
Add more concrete action details such as specific checks performed (e.g., 'checks for injection vulnerabilities, validates input sanitization, verifies assistant.md compliance rules') to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | It names the domain (AI assistant code plugins) and lists some actions (audits for security vulnerabilities, best practices, compliance, quality standards), but the actions are somewhat generic and not deeply concrete (e.g., doesn't specify what specific checks are performed or what outputs are produced). | 2 / 3 |
Completeness | Clearly answers both 'what' (audits AI assistant code plugins for security vulnerabilities, best practices, compliance, quality standards) and 'when' (explicit 'Use when assessing security or running audits' clause with trigger phrases). Both are explicitly stated. | 3 / 3 |
Trigger Term Quality | Includes good natural trigger terms: 'audit plugin', 'security review', 'best practices check', 'security scan', 'audit', 'vulnerability'. These are terms users would naturally say when requesting this kind of work. | 3 / 3 |
Distinctiveness Conflict Risk | It's fairly specific to AI assistant code plugins, which helps, but the truncated repository name ('repositor...') weakens clarity. Terms like 'security review' and 'audit' could overlap with general security scanning or code review skills not specific to this plugin ecosystem. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a well-organized audit framework with clear categories and a logical sequence, but falls short on actionability — it describes what to check without providing executable commands or concrete code. The workflow lacks validation checkpoints between steps, and the content could be more concise by removing the overview restatement and relying more heavily on the referenced files for details like error handling.
Suggestions
Add concrete, executable grep/find commands for each security scan pattern (e.g., `grep -rn 'AKIA[0-9A-Z]{16}' plugins/security/plugin-name/`) instead of describing what to search for.
Insert explicit validation checkpoints in the workflow, such as 'If any CRITICAL security findings in step 2, halt audit and report immediately' to create proper feedback loops.
Move the error handling table to the referenced errors.md file and keep only a brief pointer in the main SKILL.md to reduce duplication and improve conciseness.
Make the Examples section more actionable by showing a concrete snippet of expected audit output rather than just describing the process at a high level.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is mostly efficient but includes some unnecessary verbosity, such as the full Overview section restating what the skill does, and the Examples section describing processes at a high level without adding much actionable detail. The error handling table is useful but could be tighter. | 2 / 3 |
Actionability | The instructions provide a clear sequence of what to check (hardcoded secrets, dangerous commands, file structure) with some specific patterns (e.g., 'AKIA...', 'eval()', 'exec()'), but lack executable commands or concrete code snippets. Most guidance is descriptive ('search for', 'detect', 'flag') rather than providing copy-paste ready grep/find commands. | 2 / 3 |
Workflow Clarity | The eight-step workflow is clearly sequenced and covers the audit process well. However, there are no explicit validation checkpoints or feedback loops — for instance, no step says 'if security issues found, stop and report before continuing' or 'verify fixes before re-scoring.' For an audit process that could flag critical security issues, missing validation gates caps this at 2. | 2 / 3 |
Progressive Disclosure | The skill references four external files in a references directory (audit-categories.md, audit-process.md, audit-report-format.md, examples.md, errors.md) with clear signaling and one-level-deep structure, which is good. However, no bundle files were provided, so we cannot verify these references exist or are well-structured. The main file also includes an error handling table and examples that partially duplicate what the referenced files presumably contain, suggesting suboptimal content splitting. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3a2d27d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.