explaingit

secawa-com/plugin-auditor

Analysis updated 2026-05-18

1ShellAudience · developerComplexity · 2/5LicenseSetup · easy

TLDR

A Claude Code plugin that runs a static security audit of other Claude Code plugins and skills before you install them.

Mindmap

mindmap
  root((plugin-auditor))
    What it does
      Static security audit
      Five parallel sub agents
      SAFE CAUTION UNSAFE verdict
    Tech stack
      Shell
      Claude Code plugin
    Use cases
      Vet community plugins
      Audit remote repos
      Delta re audits
    Audience
      Developers
      Security reviewers
    License
      MIT

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Audit a community-made Claude Code plugin or skill before installing it locally.

USE CASE 2

Scan a remote GitHub or GitLab repository for backdoors or prompt injection before cloning it.

USE CASE 3

Re-audit only the commits added since a repository's last review using delta mode.

USE CASE 4

Get a file-and-line-number-backed markdown report to review before trusting an extension.

What is it built with?

ShellClaude Code

How does it compare?

secawa-com/plugin-auditoranthonyhann/knowledge-wikibaiyuetribe/test-heroku
Stars111
LanguageShellShellShell
Last pushed2021-06-30
MaintenanceDormant
Setup difficultyeasymoderatehard
Complexity2/53/51/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Installs as a Claude Code plugin marketplace entry, no external services or credentials required.

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

In plain English

plugin-auditor is a Claude Code plugin that performs a security audit of other Claude Code extensions, such as skills, agents, hooks, MCP servers, and slash commands, before a user installs them. The README explains that this kind of ecosystem, where anyone can publish a plugin that a single command will clone and install, is a classic supply chain risk: a malicious skill could try to leak credentials, a hook could persist across sessions, an MCP server could fetch and run arbitrary code, or an install script could run before anyone reviews it. The tool works entirely by reading and analyzing code, it never runs or executes anything from the repository being audited. It adds one slash command, /plugin-auditor:audit, which is not triggered automatically, a user has to run it on purpose. When run, it hands the work to five specialized sub-agents that each look at a different risk area, covering static code patterns, Claude specific artifacts, supply chain concerns, configuration files, and suspicious network or filesystem activity. Their findings are combined into a single markdown report with an overall verdict of SAFE, CAUTION, or UNSAFE, and every finding is tied to a specific file and line number so a user can check it themselves. The audit can be pointed at the current folder, an explicit local path, or a public GitHub or GitLab URL, which the tool will shallow clone into a temporary folder before scanning. There is also a delta mode that only audits what changed since a repository's last audit, using a saved state file to compare against the previous commit. Reports are written to a folder under the user's home directory and are timestamped, so re-running an audit never overwrites an earlier report. After a report is produced, the tool can also walk through any concerning findings interactively, one section at a time. It is written mainly in shell script, is licensed under MIT, and is intended for people who install community-made Claude Code plugins and want a way to check them for hidden risks before trusting them.

Copy-paste prompts

Prompt 1
Help me install plugin-auditor and run /plugin-auditor:audit on a repository I just cloned.
Prompt 2
Explain what plugin-auditor's five sub-agents each check for in a Claude Code plugin.
Prompt 3
Show me how to run plugin-auditor's delta mode to check only new commits since my last audit.
Prompt 4
Walk me through what a CAUTION verdict from plugin-auditor means and how I should respond to it.

Frequently asked questions

What is plugin-auditor?

A Claude Code plugin that runs a static security audit of other Claude Code plugins and skills before you install them.

What language is plugin-auditor written in?

Mainly Shell. The stack also includes Shell, Claude Code.

What license does plugin-auditor use?

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

How hard is plugin-auditor to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is plugin-auditor for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.