plugin-auditor

Audit automatically audits AI assistant code plugins for security vulnerabilities, best practices, AI assistant.md compliance, and quality standards when user mentions audit plugin, security review, or best practices check. specific to AI assistant-code-plugins repositor... Use when assessing security or running audits. Trigger with phrases like 'security scan', 'audit', or 'vulnerability'.

Quality

—

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

57%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The content is well-organized with strong progressive disclosure pointing to real reference files, but the workflow lacks explicit validation checkpoints, several steps stay abstract while delegating detail to references, and the Resources section duplicates inline links.

Suggestions

Add explicit validation checkpoints between audit steps (e.g., 'Confirm plugin.json parses with jq empty before proceeding to category scans') to catch errors early in the batch scan and lift workflow clarity.

Replace abstract steps like 'Verify the plugin follows the directory structure' and 'Assess git hygiene' with concrete checks (specific paths, specific grep patterns) or inline the key patterns rather than only delegating to audit-categories.md.

Remove the redundant Resources section that re-lists references already linked inline, or consolidate the inline links into it, to tighten token usage.

Dimension	Reasoning	Score
Conciseness	The body is mostly efficient and free of concept-explanation fluff, but the trailing Resources section re-lists references already linked inline and some bullet detail could be tightened, matching the level-2 'mostly efficient but could be tightened' anchor.	2 / 3
Actionability	It gives concrete patterns and commands ('AKIA...', 'rm -rf /', 'eval()', 'jq empty', '${CLAUDE_PLUGIN_ROOT}'), but several steps are abstract ('Verify the plugin follows the directory structure specified in the repository CLAUDE.md', 'Assess git hygiene') and the detailed scanning logic is delegated to references, landing at level 2.	2 / 3
Workflow Clarity	The eight steps are clearly numbered and sequenced with an error-handling table for recovery, but there are no explicit validation checkpoints between steps for what is a multi-file batch scan, matching the level-2 'sequence present but checkpoints missing' anchor.	2 / 3
Progressive Disclosure	The body is a concise overview that points to one-level-deep, clearly signaled references (audit-categories.md, audit-process.md, audit-report-format.md, examples.md, errors.md), all of which exist in references/, matching the level-3 'clear overview with well-signaled one-level-deep references' anchor.	3 / 3
	Total	9 / 12 Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description clearly communicates what the skill does and when to invoke it with strong natural trigger terms, though the prose is grammatically rough (run-on sentence, truncated 'repositor...') and the trigger terms are broad enough to risk overlap with general security skills.

Dimension	Reasoning	Score
Specificity	It names the domain and concrete audit targets ('security vulnerabilities, best practices, AI assistant.md compliance, and quality standards'), but relies on a single verb ('audits') applied to a list of nouns rather than multiple distinct concrete actions, so it stops short of the level-3 anchor.	2 / 3
Completeness	It explicitly answers both what ('audits AI assistant code plugins for security vulnerabilities, best practices...') and when ('Use when assessing security or running audits. Trigger with phrases like...'), satisfying the level-3 anchor with an explicit 'Use when' clause.	3 / 3
Trigger Term Quality	It surfaces natural terms users would actually say — 'audit plugin', 'security review', 'best practices check', 'security scan', 'audit', and 'vulnerability' — giving good coverage matching the level-3 anchor.	3 / 3
Distinctiveness Conflict Risk	The plugin-specific niche ('specific to AI assistant-code-plugins repositor...') helps, but the trigger terms 'audit', 'vulnerability', and 'security scan' are generic security language that could overlap with other security skills, matching the level-2 'somewhat specific but could still overlap' anchor.	2 / 3
	Total	10 / 12 Passed

Validation

87%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 14 / 16 Passed

Validation for skill structure

Criteria	Description	Result
allowed_tools_field	'allowed-tools' contains unusual tool name(s)	Warning
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	14 / 16 Passed

Repository: jeremylongshore/claude-code-plugins-plus-skills
Commit: 02d6341

Reviewed: about 22 hours ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.