MCP HubMCP Hub
返回技能列表

Plugin Auditor

jeremylongshore
更新于 Today
75 次查看
1,053
135
1,053
在 GitHub 上查看
开发aiautomation

关于

Plugin Auditor automatically reviews Claude Code plugins for security vulnerabilities, best practices, and compliance with repository standards. It triggers when users mention audit, security review, or best practices checks, scanning for issues like hardcoded secrets and dangerous commands. This tool uses Read, Grep, and Bash to perform its automated code audits.

快速安装

Claude Code

推荐
插件命令推荐
/plugin add https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Git 克隆备选方式
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills.git ~/.claude/skills/Plugin Auditor

在 Claude Code 中复制并粘贴此命令以安装该技能

技能文档

Plugin Auditor

Purpose

Automatically audits Claude Code plugins for security vulnerabilities, best practice violations, CLAUDE.md compliance, and quality standards - optimized for claude-code-plugins repository requirements.

Trigger Keywords

  • "audit plugin"
  • "security review" or "security audit"
  • "best practices check"
  • "plugin quality"
  • "compliance check"
  • "plugin security"

Audit Categories

1. Security Audit

Critical Checks:

  • ❌ No hardcoded secrets (passwords, API keys, tokens)
  • ❌ No AWS keys (AKIA...)
  • ❌ No private keys (BEGIN PRIVATE KEY)
  • ❌ No dangerous commands (rm -rf /, eval(), exec())
  • ❌ No command injection vectors
  • ❌ No suspicious URLs (IP addresses, non-HTTPS)
  • ❌ No obfuscated code (base64 decode, hex encoding)

Security Patterns:

# Check for hardcoded secrets
grep -r "password\s*=\s*['\"]" --exclude-dir=node_modules
grep -r "api_key\s*=\s*['\"]" --exclude-dir=node_modules
grep -r "secret\s*=\s*['\"]" --exclude-dir=node_modules

# Check for AWS keys
grep -r "AKIA[0-9A-Z]{16}" --exclude=README.md

# Check for private keys
grep -r "BEGIN.*PRIVATE KEY" --exclude=README.md

# Check for dangerous patterns
grep -r "rm -rf /" | grep -v "/var/" | grep -v "/tmp/"
grep -r "eval\s*\(" --exclude=README.md

2. Best Practices Audit

Plugin Structure:

  • ✅ Proper directory hierarchy
  • ✅ Required files present
  • ✅ Semantic versioning (x.y.z)
  • ✅ Clear, concise descriptions
  • ✅ Proper LICENSE file (MIT/Apache-2.0)
  • ✅ Comprehensive README
  • ✅ At least 5 keywords

Code Quality:

  • ✅ No TODO/FIXME without issue links
  • ✅ No console.log() in production code
  • ✅ No hardcoded paths (/home/, /Users/)
  • ✅ Uses ${CLAUDE_PLUGIN_ROOT} in hooks
  • ✅ Scripts have proper shebangs
  • ✅ All scripts are executable

Documentation:

  • ✅ README has installation section
  • ✅ README has usage examples
  • ✅ README has clear description
  • ✅ Commands have proper frontmatter
  • ✅ Agents have model specified
  • ✅ Skills have trigger keywords

3. CLAUDE.md Compliance

Repository Standards:

  • ✅ Follows plugin structure from CLAUDE.md
  • ✅ Uses correct marketplace slug
  • ✅ Proper category assignment
  • ✅ Valid plugin.json schema
  • ✅ Marketplace catalog entry exists
  • ✅ Version consistency

Skills Compliance (if applicable):

  • ✅ SKILL.md has proper frontmatter
  • ✅ Description includes trigger keywords
  • ✅ allowed-tools specified (if restricted)
  • ✅ Clear purpose and instructions
  • ✅ Examples provided

4. Marketplace Compliance

Catalog Requirements:

  • ✅ Plugin listed in marketplace.extended.json
  • ✅ Source path matches actual location
  • ✅ Version matches plugin.json
  • ✅ Category is valid
  • ✅ No duplicate plugin names
  • ✅ Author information complete

5. Git Hygiene

Repository Practices:

  • ✅ No large binary files
  • ✅ No node_modules/ committed
  • ✅ No .env files
  • ✅ Proper .gitignore
  • ✅ No merge conflicts
  • ✅ Clean commit history

6. MCP Plugin Audit (if applicable)

MCP-Specific Checks:

  • ✅ Valid package.json with @modelcontextprotocol/sdk
  • ✅ TypeScript configured correctly
  • ✅ dist/ in .gitignore
  • ✅ Proper mcp/*.json configuration
  • ✅ Build scripts present
  • ✅ No dependency vulnerabilities

7. Performance Audit

Efficiency Checks:

  • ✅ No unnecessary file reads
  • ✅ Efficient glob patterns
  • ✅ No recursive loops
  • ✅ Reasonable timeout values
  • ✅ No memory leaks (event listeners)

8. Accessibility & UX

User Experience:

  • ✅ Clear error messages
  • ✅ Helpful command descriptions
  • ✅ Proper usage examples
  • ✅ Good README formatting
  • ✅ Working demo commands

Audit Process

When activated, I will:

  1. Security Scan

    # Run security checks
grep -r "password\|secret\|api_key" plugins/plugin-name/
grep -r "AKIA[0-9A-Z]{16}" plugins/plugin-name/
grep -r "BEGIN.*PRIVATE KEY" plugins/plugin-name/
grep -r "rm -rf /" plugins/plugin-name/
grep -r "eval\(" plugins/plugin-name/

  2. Structure Validation

    # Check required files
test -f .claude-plugin/plugin.json
test -f README.md
test -f LICENSE

# Check component directories
ls -d commands/ agents/ skills/ hooks/ mcp/ 2>/dev/null

  3. Best Practices Check

    # Check for TODO/FIXME
grep -r "TODO\|FIXME" --exclude=README.md

# Check for console.log
grep -r "console\.log" --exclude=README.md

# Check script permissions
find . -name "*.sh" ! -perm -u+x

  4. Compliance Verification

    # Check marketplace entry
jq '.plugins[] | select(.name == "plugin-name")' .claude-plugin/marketplace.extended.json

# Verify version consistency
plugin_version=$(jq -r '.version' .claude-plugin/plugin.json)
market_version=$(jq -r '.plugins[] | select(.name == "plugin-name") | .version' .claude-plugin/marketplace.extended.json)

  5. Generate Audit Report

Audit Report Format

🔍 PLUGIN AUDIT REPORT
Plugin: plugin-name
Version: 1.0.0
Category: security
Audit Date: 2025-10-16

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔒 SECURITY AUDIT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

✅ PASSED (7/7)
- No hardcoded secrets
- No AWS keys
- No private keys
- No dangerous commands
- No command injection vectors
- HTTPS URLs only
- No obfuscated code

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📋 BEST PRACTICES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

✅ PASSED (10/12)
- Proper directory structure
- Required files present
- Semantic versioning
- Clear descriptions
- Comprehensive README

⚠️  WARNINGS (2)
- 3 scripts missing execute permission
  Fix: chmod +x scripts/*.sh

- 2 TODO items without issue links
  Location: commands/scan.md:45, agents/analyzer.md:67
  Recommendation: Create GitHub issues or remove TODOs

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ CLAUDE.MD COMPLIANCE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

✅ PASSED (6/6)
- Follows plugin structure
- Uses correct marketplace slug
- Proper category assignment
- Valid plugin.json schema
- Marketplace entry exists
- Version consistency

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 QUALITY SCORE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Security:        10/10 ✅
Best Practices:   8/10 ⚠️
Compliance:      10/10 ✅
Documentation:   10/10 ✅

OVERALL SCORE: 9.5/10 (EXCELLENT)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🎯 RECOMMENDATIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Priority: MEDIUM
1. Fix script permissions (2 min)
2. Resolve TODO items (10 min)

Optional Improvements:
- Add more usage examples in README
- Include troubleshooting section
- Add GIF/video demo

✅ AUDIT COMPLETE
Plugin is production-ready with minor improvements needed.

Severity Levels

Critical (🔴):

  • Security vulnerabilities
  • Hardcoded secrets
  • Dangerous commands
  • Missing required files

High (🟠):

  • Best practice violations
  • Missing documentation
  • Broken functionality
  • Schema violations

Medium (🟡):

  • Code quality issues
  • Missing optional features
  • Performance concerns
  • UX improvements

Low (🟢):

  • Style inconsistencies
  • Minor documentation gaps
  • Nice-to-have features

Auto-Fix Capabilities

I can automatically fix:

  • ✅ Script permissions
  • ✅ JSON formatting
  • ✅ Markdown formatting
  • ✅ Version sync issues

Repository-Specific Checks

For claude-code-plugins repo:

  • Validates against CLAUDE.md standards
  • Checks marketplace integration
  • Verifies category structure
  • Ensures quality for featured plugins
  • Checks contributor guidelines compliance

Examples

User says: "Audit the security-scanner plugin"

I automatically:

  1. Run full security scan
  2. Check best practices
  3. Verify CLAUDE.md compliance
  4. Generate comprehensive report
  5. Provide recommendations

User says: "Is this plugin safe to publish?"

I automatically:

  1. Security audit (critical)
  2. Marketplace compliance
  3. Quality score calculation
  4. Publish readiness assessment

User says: "Quality review before featured status"

I automatically:

  1. Full audit (all categories)
  2. Higher quality thresholds
  3. Featured plugin requirements
  4. Recommendation: approve/reject

GitHub 仓库

jeremylongshore/claude-code-plugins-plus-skills
路径: backups/plugin-enhancements/plugin-backups/skills-powerkit_20251020_012455/skills/plugin-auditor
aiautomationclaude-codedevopsmarketplacemcp

相关推荐技能

content-collections

Content Collections 是一个 TypeScript 优先的构建工具,可将本地 Markdown/MDX 文件转换为类型安全的数据集合。它专为构建博客、文档站和内容密集型 Vite+React 应用而设计,提供基于 Zod 的自动模式验证。该工具涵盖从 Vite 插件配置、MDX 编译到生产环境部署的完整工作流。

查看技能

sglang

SGLang是一个专为LLM设计的高性能推理框架,特别适用于需要结构化输出的场景。它通过RadixAttention前缀缓存技术,在处理JSON、正则表达式、工具调用等具有重复前缀的复杂工作流时,能实现极速生成。如果你正在构建智能体或多轮对话系统,并追求远超vLLM的推理性能,SGLang是理想选择。

查看技能

evaluating-llms-harness

测试

该Skill通过60+个学术基准测试(如MMLU、GSM8K等)评估大语言模型质量,适用于模型对比、学术研究及训练进度追踪。它支持HuggingFace、vLLM和API接口,被EleutherAI等行业领先机构广泛采用。开发者可通过简单命令行快速对模型进行多任务批量评估。

查看技能

langchain

LangChain是一个用于构建LLM应用程序的框架,支持智能体、链和RAG应用开发。它提供多模型提供商支持、500+工具集成、记忆管理和向量检索等核心功能。开发者可用它快速构建聊天机器人、问答系统和自主代理,适用于从原型验证到生产部署的全流程。

查看技能