plugin-installer

Install validated Codex plugins from trusted sources with quarantine validation, provenance, and rollback. Use when distribution and installation are the primary goals.

Quality

44%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Advisory

Suggest reviewing before use

Optimize this skill with Tessl

npx tessl skill review --optimize ./Plugins/plugin-factory/fixtures/budget-archive/2026-04-21/deferred-store/skills/infrastructure_ops/plugin-installer/SKILL.md

Quality

Content

22%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill reads more like an architectural design document than an actionable skill. It establishes boundaries, anti-patterns, and constraints well, but critically lacks concrete executable guidance — no code examples, no specific commands (beyond one validation script), and no inline workflow steps. The heavy delegation to unverifiable reference files without even a brief inline workflow summary means Claude would struggle to act on this skill without those files.

Suggestions

Add an inline summary of the staged install workflow with numbered steps and explicit validation checkpoints (e.g., 1. Pin ref → 2. Quarantine → 3. Validate provenance → 4. Install → 5. Verify visibility → 6. Record rollback artifact).

Include at least one concrete, executable example showing the actual commands or code for installing a plugin from a pinned GitHub ref, including expected output format.

Replace the natural language examples with structured input/output examples showing the actual JSON schema for the return object (schema_version, installed_plugin, etc.).

Trim abstract framing in 'Execution Boundaries' and 'Philosophy' sections — Claude doesn't need to be told to 'classify install work' without being shown how.

Dimension	Reasoning	Score
Conciseness	The skill is moderately efficient but includes some vague, abstract phrasing that doesn't add actionable value (e.g., 'Apply the context-disposition policy: move important still-valid context to references, and intentionally discard stale, duplicated, unsafe, superseded, or low-signal text'). Some sections like 'Philosophy' and 'Execution Boundaries' are padded with conceptual framing rather than concrete instructions.	2 / 3
Actionability	The skill lacks any concrete, executable code, commands, or specific step-by-step instructions. It describes what should happen at a high level ('Use the staged install protocol', 'Classify install work') but never shows how. The examples section contains natural language prompts rather than executable examples with expected inputs/outputs. The validation bash command is the only concrete executable element.	1 / 3
Workflow Clarity	The workflow is entirely delegated to 'references/workflow.md' with no inline summary of the actual steps. There are no sequenced steps, no validation checkpoints within the workflow, and no feedback loops described. For a skill involving destructive/write operations with rollback, this is a significant gap. The failure mode section lists when to stop but not how to recover.	1 / 3
Progressive Disclosure	The skill does reference external files (workflow.md, contract.yaml, evals.yaml, etc.) with clear navigation signals and 'Read when' guidance, which is good structure. However, since no bundle files were provided, we can't verify these references exist. The main issue is that the SKILL.md itself is too thin — it delegates almost everything to references without providing even a minimal inline summary of the workflow, making the overview insufficient on its own.	2 / 3
	Total	6 / 12 Passed

Description

67%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description adequately covers both what the skill does and when to use it, earning full marks on completeness. However, it relies on technical jargon ('quarantine validation', 'provenance') that users are unlikely to use naturally, and the trigger clause 'when distribution and installation are the primary goals' is somewhat vague and could overlap with other installation-related skills.

Suggestions

Replace technical jargon with natural user terms — e.g., instead of 'quarantine validation' and 'provenance', use phrases like 'verify plugin safety', 'check plugin source/origin', or 'security scanning'.

Make the 'Use when' clause more specific with concrete trigger scenarios, e.g., 'Use when the user wants to add, install, or set up a Codex plugin, manage plugin versions, or revert a plugin to a previous version'.

Add common keyword variations users might say, such as 'add plugin', 'plugin setup', 'extension', 'uninstall', or 'revert plugin'.

Dimension	Reasoning	Score
Specificity	Names the domain (Codex plugins) and several actions (install, quarantine validation, provenance, rollback), but these are somewhat abstract concepts rather than concrete user-facing actions. It doesn't detail specific steps like 'download from registry, verify signatures, run sandbox tests.'	2 / 3
Completeness	Clearly answers both what ('Install validated Codex plugins from trusted sources with quarantine validation, provenance, and rollback') and when ('Use when distribution and installation are the primary goals'), with an explicit 'Use when' clause.	3 / 3
Trigger Term Quality	Includes relevant terms like 'install', 'plugins', 'rollback', and 'Codex', but 'quarantine validation' and 'provenance' are technical jargon unlikely to appear in natural user requests. Missing common variations like 'add plugin', 'plugin setup', 'extension', or 'package'.	2 / 3
Distinctiveness Conflict Risk	The 'Codex plugins' domain is fairly specific, but the phrase 'distribution and installation' is broad enough to potentially overlap with other installation or package management skills. The 'Use when' clause is vague about what distinguishes this from other plugin-related skills.	2 / 3
	Total	9 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
metadata_version	'metadata.version' is missing	Warning

	Total	10 / 11 Passed

Repository: jscraik/Agent-Skills
Commit: 8e7e19d

Reviewed: 5 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.