Menü
How the Plugin Mall scans, scores, and prunes itself. The Mall is a self-curating repo; this skill is its operational playbook for the weekly catalog refresh and trust scoring. Use when working on the scan pipeline, debugging a stuck weekly PR, or onboarding to Mall internals.
| name | mall-self-curation |
| description | How the Plugin Mall scans, scores, and prunes itself. The Mall is a self-curating repo; this skill is its operational playbook for the weekly catalog refresh and trust scoring. Use when working on the scan pipeline, debugging a stuck weekly PR, or onboarding to Mall internals. |
| lastReviewed | "2026-05-29T00:00:00.000Z" |
The Plugin Mall is self-curating. Day-to-day operations (inventory, scoring, catalog publishing, staleness pruning) run inside this repo's .github/workflows/scan-sources.yml. This skill is the operational playbook for that pipeline.
scripts/scan-sources.cjs / normalize-frontmatter.cjs / compute-trust.cjs / list-refs.cjs / render-catalog.cjscatalog-refresh/YYYY-MM-DD) is stuck or producing surprising deltassources/supported-stores.json — verifying it flows through the pipeline.github/workflows/scan-sources.yml) bootstrap-sources.cjs ─┐
scan-sources.cjs │
normalize-frontmatter.cjs ├─▶ catalog/index.json
list-refs.cjs │ catalog/stores/*.json
compute-trust.cjs │ scoring/trust-audit.{json,md}
render-catalog.cjs ─┘ catalog/INDEX.md + per-store + per-category
README.md (storefront)
Each step is idempotent: re-running with no upstream changes produces byte-identical output.
| Step | Owns | Reads | Writes |
|---|---|---|---|
bootstrap-sources.cjs | Source-repo clones into $SOURCES_DIR | sources/supported-stores.json | $SOURCES_DIR/<name>/ (one shallow clone per third-party store; plugin-mall is excluded — it's this repo) |
scan-sources.cjs | Per-plugin metadata extraction | sources/supported-stores.json + $SOURCES_DIR/<name>/<pluginDir>/<plugin>/ + this repo's plugins/<category>/<name>/ (for plugin-mall self-scan) | catalog/stores/<store>.json (without trust scores yet) |
normalize-frontmatter.cjs | Standard + extended + raw three-layer schema | catalog/stores/<store>.json (plugins[*].frontmatter.raw) | catalog/stores/<store>.json (plugins[*].frontmatter.standard + extended) |
list-refs.cjs | Per-plugin version discovery | $SOURCES_DIR/<name>/.git/ + plugin source_path | catalog/stores/<store>.json (plugins[*].available_refs) |
compute-trust.cjs | Trust score (provenance + 5 signals) | catalog/stores/*.json + scoring/github-stats.json | catalog/stores/*.json (store_trust + plugins[*].trust_score) + scoring/trust-audit.{json,md} |
render-catalog.cjs | JSON → MD rendering | catalog/stores/*.json | catalog/index.json + catalog/INDEX.md + catalog/stores/<store>.md (one per store) + catalog/categories/<cat>.md (one per category) + README.md (storefront) + sources/SOURCES.md (rendered registry) |
plugin-mall self-entry — load-bearing rulesources/supported-stores.json includes one entry with name: "plugin-mall" and provenance: true. This entry refers to this repo itself and is the mechanism that puts Mall-curated plugins in the same catalog as third-party plugins.
Two rules govern it:
plugin-mall. This repo is already checked out; cloning it from itself is wasteful and could cause race conditions during the workflow. bootstrap-sources.cjs filters by name !== "plugin-mall".plugin-mall. The scan walks $REPO_ROOT/plugins/ (not $SOURCES_DIR/plugin-mall/) and produces catalog/stores/plugin-mall.json like any other store. scan-sources.cjs resolves the path conditionally: third-party stores use $SOURCES_DIR/<name || local_dir_name>/<pluginDir>; plugin-mall uses $REPO_ROOT/<pluginDir>.Crossing this boundary (cloning self in bootstrap, or skipping self in scan) is the most common source of bugs in this pipeline.
Computed by compute-trust.cjs; signals published alongside score so readers can audit why a score is what it is.
| Signal | Range | Source | Mall-as-store | Third-party typical |
|---|---|---|---|---|
| Provenance | 0 or +50 | supported-stores.json provenance field | +50 | 0 |
| Store maintenance | 0–15 | scoring/github-stats.json last_commit recency | 15 | 0–15 |
| Store adoption | 0–10 | GitHub stars + contributors via scoring/github-stats.json | 10 | 0–10 |
| License clarity | 0–10 | OSI-approved=10, clear non-permissive=7, ambiguous=0 | 7 (PolyForm-NC) | 0–10 |
| Frontmatter completeness | 0–10 | description + version + lastReviewed presence | 10 | 0–10 |
| README presence | 0–5 | README ≥ 200 chars | 5 | 0–5 |
Mall-as-store ceiling: 97/100. Third-party stores cap at 50 by construction (no provenance). Per-plugin score adds up to +20 from plugin-specific signals on top of store score.
If the formula drifts from this table, update this skill in the same commit. Changes to the weights or signals are [behaviour]-class commits; changes that alter what the published-signal contract guarantees are [constitutional].
.github/workflows/scan-sources.ymlcatalog/, scoring/, README.md, or sources/SOURCES.md change (timestamp-only deltas filtered)workflow_dispatch available for ad-hoc re-scans (e.g., after adding a store to supported-stores.json)| Concern | Owner |
|---|---|
Add / remove a source store from supported-stores.json | Mall (this skill + source-inventory) |
| Tune trust score weights | Mall (this skill + compute-trust.cjs) |
| Scan / score / render / publish pipeline | Mall |
| Decide a plugin earns a slot in any consumer project's baseline | Out of scope (consumer-owned decision) |
| Coherence with a specific consumer project | Out of scope (consumer-owned audit) |
| Reframe what counts as "curated" | Out of scope (editorial decision, not pipeline) |
| Periodic review of how the catalog is consumed downstream | Out of scope (consumer-owned) |
If a question crosses the line into editorial or downstream policy, route it out of the workflow. Don't self-modify cross-repo policy from inside the Mall.
Every editorial Mall decision lands in docs/curation-log.md in this repo (Mall's own append-only log). Decisions ship with re-eval dates; routine refreshes do not need log entries unless they triggered a curation action.
| Anti-pattern | Correction |
|---|---|
Editing brain files (skills/instructions/prompts/agents) under plugins/ during the workflow | The workflow MUST NOT modify plugins/ — editorial changes ship via PR review only. The workflow only writes to catalog/, scoring/, README.md, sources/SOURCES.md. |
Bootstrap re-cloning plugin-mall from itself | bootstrap-sources.cjs MUST filter name !== "plugin-mall". |
Scan skipping plugin-mall | scan-sources.cjs MUST include plugin-mall (walks $REPO_ROOT/plugins/, not bootstrapped sources). |
| Trust score without published signals | Every score MUST come with its signal breakdown in catalog/stores/<store>.json trust_signals field. |
| Hardcoded "curated" tier flag in code | There is NO tier flag in the schema. Curation bias emerges from provenance: true in supported-stores.json. |
| Quietly fudging the license signal so Mall scores 100 | Score honestly. PolyForm-NC = 7/10. The provenance +50 already carries the first-party trust weight. |
This skill needs revision if any of the following occur by 2026-08-29 (90 days):
catalog/, scoring/, README.md, sources/SOURCES.md ≥1 time/mall-search for the same name as a third-party entry (provenance signal not flowing)normalize-frontmatter.cjs ≥2 times without surfacing in scoring/trust-audit.mdTrack in docs/curation-log.md tagged [MALL-SELF-CURATION].
supported-stores.jsonConsolidate session learning into permanent architecture — extract patterns into skills, instructions, prompts, or memory
Maintain the source registry in sources/supported-stores.json — add a new third-party plugin store, retire one, refresh metadata, validate the schema. Use when proposing a registry change, after the weekly cron flags a source as unhealthy, or when a candidate store needs evaluation before adding.
Detect, classify, and prune stale source stores in the Mall — define what stale means and how to remove gracefully without breaking downstream consumers.
Evaluate a proposed store for inclusion in Alex_ACT_Plugin_Mall using a quality scorecard
Comprehensive brain file review — external freshness, internal consistency, semantic accuracy — stamp only after full assessment
This skill should be used when building agent evaluation systems: deterministic checks, regression suites, multi-dimensional rubrics, quality gates, production monitoring, baseline comparison, and outcome measurement for agent pipelines.