Does it remember previous scans?

Yes, the skill computes a unique hash for each plugin version and saves the results locally to avoid re-scanning plugins that haven't changed.

How does this skill scan plugins?

It identifies enabled plugins in your Claude settings, locates their source code in the local cache, and launches parallel subagents to analyze the code for specific security risks.

What types of vulnerabilities does it detect?

It searches for command injection risks, data exfiltration attempts, file system abuse, privilege escalation, obfuscated code, hook abuse, and sandbox bypasses.

Can I scan local plugins I am developing?

Yes. If a plugin is not found in the official cache, the skill will ask you for the directory path to perform a manual security review.

What should I do if a critical issue is found?

The skill provides recommended actions, typically suggesting you disable the plugin immediately and report the findings to the marketplace maintainer.

Plugin Security Auditor

Name: Plugin Security Auditor
Author: hibukki

byhibukki

•

Security & Testing

Audits and scans installed Claude Code plugins for security vulnerabilities, malicious code, and privacy risks using parallel subagents.

This skill provides a comprehensive security framework for Claude Code environments by systematically scanning enabled plugins for common threats. It automatically detects installed plugins, launches specialized subagents to analyze source code for command injection, data exfiltration, and sandbox bypasses, and generates actionable reports with severity ratings. By persisting review results and proactively suggesting scans for new installations, it helps developers maintain a secure local environment while leveraging the power of third-party extensions.

Key Features

01Persistent review caching to prevent redundant scans of verified code

02Automated discovery of enabled plugins from system settings

031 GitHub stars

04Detection of command injection, data leaks, and file system abuse

05Parallel subagent scanning for rapid security analysis

06Detailed reporting with severity levels and recommended actions

Use Cases

01Auditing third-party plugins before enabling them in a sensitive development environment

02Identifying malicious code or hidden hooks in newly downloaded marketplace plugins

03Automating security compliance checks for a custom suite of Claude Code extensions

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add hibukki/yonatans-cc-marketplace plugins-security-review

For use in Claude.ai and ChatGPT

Download Skill