Skip to main content
ClaudeWave
Slash Command260 repo starsupdated 16d ago

plugin-audit

The plugin-audit command systematically scans a project's installed dependencies across multiple package managers, extension platforms, and workflow systems to identify security vulnerabilities, maintenance risks, and supply chain threats. Use this command when onboarding new projects, preparing for production deployments, or conducting routine security reviews to generate a prioritized risk report with remediation recommendations for each flagged dependency.

View sourceRepository: Claude-Skills
Install in Claude Code
Copy
mkdir -p ~/.claude/commands && curl -fsSL https://raw.githubusercontent.com/borghei/Claude-Skills/HEAD/.claude/commands/plugin-audit.md -o ~/.claude/commands/plugin-audit.md
Then start a new Claude Code session; the slash command loads automatically.
Definition

plugin-audit.md

Audit project plugins and extensions:

1. **Discover installed plugins/dependencies:**
   - npm packages (package.json)
   - Python packages (requirements.txt, pyproject.toml, Pipfile)
   - VS Code extensions (.vscode/extensions.json)
   - Browser extensions referenced in code
   - GitHub Actions used in workflows
   - MCP servers configured
2. **Security check per dependency:**
   - Known CVEs (check against advisory databases)
   - Last published date (flag if > 1 year ago — possibly unmaintained)
   - Download count / popularity (flag low-adoption packages)
   - Permission scope (what does it access?)
   - Maintainer count (single-maintainer risk)
3. **Version health:**
   - How many major versions behind latest?
   - Are there breaking changes in available updates?
   - Is the package deprecated?
4. **License audit:**
   - Identify all license types
   - Flag copyleft licenses (GPL) in proprietary projects
   - Flag missing licenses (unknown risk)
5. **Supply chain risk:**
   - Packages with install scripts (postinstall hooks)
   - Packages with native bindings
   - Transitive dependency count (flag if > 100 deep)
6. **Output** a risk-scored audit report with: package name, version, risk level (high/medium/low), specific concerns, and recommended action (update/replace/remove/accept).
More from this repository
changelog-managerSubagent

>-

code-reviewerSubagent

>-

doc-generatorSubagent

>-

git-workflowSubagent

>-

qa-engineerSubagent

>-

security-auditorSubagent

>-

a11y-auditSlash Command

Run an accessibility audit on the current project for WCAG compliance.

code-to-prdSlash Command

Reverse-engineer a Product Requirements Document from existing code.