zhongwei/gh-jeremylongshore-claude-code-plugins-plus-plugins-examples-skills-powerkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0b1f4556bc6393f0fa068d6d662e4d4316b0455d
gh-jeremylongshore-claude-c…/skills/plugin-auditor/SKILL.md
Zhongwei Li 0b1f4556bc Initial commit
2025-11-30 08:20:15 +08:00

343 lines
9.6 KiB
Markdown
Raw Blame History

---
name: plugin-auditor
description: |
Automatically audits Claude Code plugins for security vulnerabilities, best practices, CLAUDE.md compliance, and quality standards when user mentions audit plugin, security review, or best practices check. Specific to claude-code-plugins repository standards.
allowed-tools: Read, Grep, Bash
version: 1.0.0
---
# Plugin Auditor
## Purpose
Automatically audits Claude Code plugins for security vulnerabilities, best practice violations, CLAUDE.md compliance, and quality standards - optimized for claude-code-plugins repository requirements.
## Trigger Keywords
- "audit plugin"
- "security review" or "security audit"
- "best practices check"
- "plugin quality"
- "compliance check"
- "plugin security"
## Audit Categories
### 1. Security Audit
**Critical Checks:**
- ❌ No hardcoded secrets (passwords, API keys, tokens)
- ❌ No AWS keys (AKIA...)
- ❌ No private keys (BEGIN PRIVATE KEY)
- ❌ No dangerous commands (rm -rf /, eval(), exec())
- ❌ No command injection vectors
- ❌ No suspicious URLs (IP addresses, non-HTTPS)
- ❌ No obfuscated code (base64 decode, hex encoding)
**Security Patterns:**
```bash
# Check for hardcoded secrets
grep -r "password\s*=\s*['\"]" --exclude-dir=node_modules
grep -r "api_key\s*=\s*['\"]" --exclude-dir=node_modules
grep -r "secret\s*=\s*['\"]" --exclude-dir=node_modules
# Check for AWS keys
grep -r "AKIA[0-9A-Z]{16}" --exclude=README.md
# Check for private keys
grep -r "BEGIN.*PRIVATE KEY" --exclude=README.md
# Check for dangerous patterns
grep -r "rm -rf /" | grep -v "/var/" | grep -v "/tmp/"
grep -r "eval\s*\(" --exclude=README.md
```
### 2. Best Practices Audit
**Plugin Structure:**
- ✅ Proper directory hierarchy
- ✅ Required files present
- ✅ Semantic versioning (x.y.z)
- ✅ Clear, concise descriptions
- ✅ Proper LICENSE file (MIT/Apache-2.0)
- ✅ Comprehensive README
- ✅ At least 5 keywords
**Code Quality:**
- ✅ No TODO/FIXME without issue links
- ✅ No console.log() in production code
- ✅ No hardcoded paths (/home/, /Users/)
- ✅ Uses `${CLAUDE_PLUGIN_ROOT}` in hooks
- ✅ Scripts have proper shebangs
- ✅ All scripts are executable
**Documentation:**
- ✅ README has installation section
- ✅ README has usage examples
- ✅ README has clear description
- ✅ Commands have proper frontmatter
- ✅ Agents have model specified
- ✅ Skills have trigger keywords
### 3. CLAUDE.md Compliance
**Repository Standards:**
- ✅ Follows plugin structure from CLAUDE.md
- ✅ Uses correct marketplace slug
- ✅ Proper category assignment
- ✅ Valid plugin.json schema
- ✅ Marketplace catalog entry exists
- ✅ Version consistency
**Skills Compliance (if applicable):**
- ✅ SKILL.md has proper frontmatter
- ✅ Description includes trigger keywords
- ✅ allowed-tools specified (if restricted)
- ✅ Clear purpose and instructions
- ✅ Examples provided
### 4. Marketplace Compliance
**Catalog Requirements:**
- ✅ Plugin listed in marketplace.extended.json
- ✅ Source path matches actual location
- ✅ Version matches plugin.json
- ✅ Category is valid
- ✅ No duplicate plugin names
- ✅ Author information complete
### 5. Git Hygiene
**Repository Practices:**
- ✅ No large binary files
- ✅ No node_modules/ committed
- ✅ No .env files
- ✅ Proper .gitignore
- ✅ No merge conflicts
- ✅ Clean commit history
### 6. MCP Plugin Audit (if applicable)
**MCP-Specific Checks:**
- ✅ Valid package.json with @modelcontextprotocol/sdk
- ✅ TypeScript configured correctly
- ✅ dist/ in .gitignore
- ✅ Proper mcp/*.json configuration
- ✅ Build scripts present
- ✅ No dependency vulnerabilities
### 7. Performance Audit
**Efficiency Checks:**
- ✅ No unnecessary file reads
- ✅ Efficient glob patterns
- ✅ No recursive loops
- ✅ Reasonable timeout values
- ✅ No memory leaks (event listeners)
### 8. Accessibility & UX
**User Experience:**
- ✅ Clear error messages
- ✅ Helpful command descriptions
- ✅ Proper usage examples
- ✅ Good README formatting
- ✅ Working demo commands
## Audit Process
When activated, I will:
1. **Security Scan**
```bash
# Run security checks
grep -r "password\|secret\|api_key" plugins/plugin-name/
grep -r "AKIA[0-9A-Z]{16}" plugins/plugin-name/
grep -r "BEGIN.*PRIVATE KEY" plugins/plugin-name/
grep -r "rm -rf /" plugins/plugin-name/
grep -r "eval\(" plugins/plugin-name/
```
2. **Structure Validation**
```bash
# Check required files
test -f .claude-plugin/plugin.json
test -f README.md
test -f LICENSE
# Check component directories
ls -d commands/ agents/ skills/ hooks/ mcp/ 2>/dev/null
```
3. **Best Practices Check**
```bash
# Check for TODO/FIXME
grep -r "TODO\|FIXME" --exclude=README.md
# Check for console.log
grep -r "console\.log" --exclude=README.md
# Check script permissions
find . -name "*.sh" ! -perm -u+x
```
4. **Compliance Verification**
```bash
# Check marketplace entry
jq '.plugins[] | select(.name == "plugin-name")' .claude-plugin/marketplace.extended.json
# Verify version consistency
plugin_version=$(jq -r '.version' .claude-plugin/plugin.json)
market_version=$(jq -r '.plugins[] | select(.name == "plugin-name") | .version' .claude-plugin/marketplace.extended.json)
```
5. **Generate Audit Report**
## Audit Report Format
```
🔍 PLUGIN AUDIT REPORT
Plugin: plugin-name
Version: 1.0.0
Category: security
Audit Date: 2025-10-16
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔒 SECURITY AUDIT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ PASSED (7/7)
- No hardcoded secrets
- No AWS keys
- No private keys
- No dangerous commands
- No command injection vectors
- HTTPS URLs only
- No obfuscated code
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📋 BEST PRACTICES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ PASSED (10/12)
- Proper directory structure
- Required files present
- Semantic versioning
- Clear descriptions
- Comprehensive README
⚠️ WARNINGS (2)
- 3 scripts missing execute permission
Fix: chmod +x scripts/*.sh
- 2 TODO items without issue links
Location: commands/scan.md:45, agents/analyzer.md:67
Recommendation: Create GitHub issues or remove TODOs
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ CLAUDE.MD COMPLIANCE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ PASSED (6/6)
- Follows plugin structure
- Uses correct marketplace slug
- Proper category assignment
- Valid plugin.json schema
- Marketplace entry exists
- Version consistency
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 QUALITY SCORE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Security: 10/10 ✅
Best Practices: 8/10 ⚠️
Compliance: 10/10 ✅
Documentation: 10/10 ✅
OVERALL SCORE: 9.5/10 (EXCELLENT)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🎯 RECOMMENDATIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Priority: MEDIUM
1. Fix script permissions (2 min)
2. Resolve TODO items (10 min)
Optional Improvements:
- Add more usage examples in README
- Include troubleshooting section
- Add GIF/video demo
✅ AUDIT COMPLETE
Plugin is production-ready with minor improvements needed.
```
## Severity Levels
**Critical (🔴):**
- Security vulnerabilities
- Hardcoded secrets
- Dangerous commands
- Missing required files
**High (🟠):**
- Best practice violations
- Missing documentation
- Broken functionality
- Schema violations
**Medium (🟡):**
- Code quality issues
- Missing optional features
- Performance concerns
- UX improvements
**Low (🟢):**
- Style inconsistencies
- Minor documentation gaps
- Nice-to-have features
## Auto-Fix Capabilities
I can automatically fix:
- ✅ Script permissions
- ✅ JSON formatting
- ✅ Markdown formatting
- ✅ Version sync issues
## Repository-Specific Checks
**For claude-code-plugins repo:**
- Validates against CLAUDE.md standards
- Checks marketplace integration
- Verifies category structure
- Ensures quality for featured plugins
- Checks contributor guidelines compliance
## Examples
**User says:** "Audit the security-scanner plugin"
**I automatically:**
1. Run full security scan
2. Check best practices
3. Verify CLAUDE.md compliance
4. Generate comprehensive report
5. Provide recommendations
**User says:** "Is this plugin safe to publish?"
**I automatically:**
1. Security audit (critical)
2. Marketplace compliance
3. Quality score calculation
4. Publish readiness assessment
**User says:** "Quality review before featured status"
**I automatically:**
1. Full audit (all categories)
2. Higher quality thresholds
3. Featured plugin requirements
4. Recommendation: approve/reject
Reference in New Issue View Git Blame Copy Permalink