// Use when analyzing plugin structures, MCP tools, and plugin security patterns.
Use when coordinating multiple enhancers for /enhance command. Runs analyzers in parallel and produces unified report.
Use when improving agent prompts, frontmatter, and tool restrictions.
Use when improving CLAUDE.md or AGENTS.md project memory files.
Use when checking cross-file consistency: tools vs frontmatter, agent references, duplicate rules, contradictions.
Use when improving documentation structure, accuracy, and RAG readiness.
Use when reviewing hooks for safety, timeouts, and correct frontmatter.
| name | enhance-plugins |
| description | Use when analyzing plugin structures, MCP tools, and plugin security patterns. |
| version | 5.1.0 |
| argument-hint | [path] [--fix] |
Analyze plugin structures, MCP tools, and security patterns against best practices.
const args = '$ARGUMENTS'.split(' ').filter(Boolean);
const targetPath = args.find(a => !a.startsWith('--')) || '.';
const fix = args.includes('--fix');
| Platform | Location |
|---|---|
| Claude Code | plugins/*/, .claude-plugin/plugin.json |
| OpenCode | .opencode/plugins/, MCP in opencode.json |
| Codex | MCP in ~/.codex/config.toml |
plugins/ directoryplugin.json, agents, commands, skills--fix (HIGH certainty only)Based on function calling best practices:
Required elements:
{
"name": "verb_noun",
"description": "What it does. When to use. What it returns.",
"input_schema": {
"type": "object",
"properties": {
"param": {
"type": "string",
"description": "Format and example"
}
},
"required": ["param"],
"additionalProperties": false
}
}
The "Intern Test" - Can someone use this tool given only the description?
| Issue | Certainty | Auto-Fix |
|---|---|---|
Missing additionalProperties: false | HIGH | Yes |
Missing required array | HIGH | Yes |
| Missing tool description | HIGH | No |
| Missing param descriptions | MEDIUM | No |
Vague names (search, process) | MEDIUM | No |
Tool descriptions must include:
// Bad - vague
"description": "Search for things"
// Good - complete
"description": "Search product catalog by keyword. Use for inventory queries or price checks. Returns matching products with prices."
Parameter descriptions must include:
// Bad
"query": { "type": "string" }
// Good
"query": {
"type": "string",
"description": "Search keywords. Supports AND/OR. Example: 'laptop AND gaming'"
}
| Issue | Why It Matters |
|---|---|
| Deep nesting (>2 levels) | Reduces generation quality |
| Missing enums for constrained values | Allows invalid states |
| No min/max on numbers | Unbounded inputs |
| >20 tools per plugin | Increases error rates |
Prefer flat structures:
// Bad - nested
{ "config": { "settings": { "timeout": 30 } } }
// Good - flat
{ "timeout_seconds": 30 }
Required files:
plugin-name/
āāā .claude-plugin/
ā āāā plugin.json # name, version, description
āāā commands/ # User-invokable commands
āāā agents/ # Subagent definitions
āāā skills/ # Reusable skill implementations
āāā package.json # Optional, for npm plugins
plugin.json validation:
name: lowercase, kebab-caseversion: semver format (^\d+\.\d+\.\d+$)description: explains what plugin providesVersion sync: plugin.json version must match package.json if present.
For plugins exposing MCP tools:
Transport types:
stdio - Standard I/O (most common)http - HTTP/SSE transportConfiguration:
{
"mcp": {
"server-name": {
"type": "local",
"command": ["node", "path/to/server.js"],
"environment": { "KEY": "value" },
"enabled": true
}
}
}
Security principles:
HIGH Certainty issues:
| Pattern | Risk | Detection |
|---|---|---|
Unrestricted Bash | Command execution | tools:.*Bash[^(] |
| Command injection | Shell escape | \${.*} in commands |
| Path traversal | File access | \.\.\/ in paths |
| Hardcoded secrets | Credential leak | API keys, passwords |
MEDIUM Certainty issues:
| Pattern | Risk |
|---|---|
| Broad file access | Data exfiltration |
| Missing input validation | Injection attacks |
| No timeout on tools | Resource exhaustion |
Input validation required:
// Validate before execution
function validateToolInput(params, schema) {
// Type validation
// Range validation (min/max)
// Enum validation
// Format validation (regex patterns)
}
Tools should return structured errors:
{
"type": "tool_result",
"tool_use_id": "id",
"content": "Error: [TYPE]. [WHAT]. [SUGGESTION].",
"is_error": true
}
Retry guidance:
"Less-is-More" approach:
| Issue | Fix |
|---|---|
Missing additionalProperties | Add "additionalProperties": false |
Missing required | Add all properties to required array |
| Version mismatch | Sync plugin.json with package.json |
## Plugin Analysis: {name}
**Files scanned**: {count}
| Certainty | Count |
|-----------|-------|
| HIGH | {n} |
| MEDIUM | {n} |
### Tool Schema Issues
| Tool | Issue | Fix | Certainty |
### Structure Issues
| File | Issue | Certainty |
### Security Issues
| File | Line | Issue | Certainty |
| Category | Patterns | Certainty |
|---|---|---|
| Tool Schema | 5 | HIGH |
| Descriptions | 2 | HIGH |
| Schema Structure | 4 | MEDIUM |
| Plugin Structure | 3 | HIGH |
| MCP Patterns | 2 | MEDIUM |
| Security | 6 | HIGH/MEDIUM |
| Error Handling | 2 | MEDIUM |
| Tool Count | 1 | LOW |
| Total | 25 | - |
<bad_example>
"description": "Search for things"
</bad_example> <good_example>
"description": "Search product catalog by keyword. Use for inventory or price queries. Returns products with prices."
</good_example>
<bad_example>
tools: Read, Bash # Unrestricted
</bad_example> <good_example>
tools: Read, Bash(git:*) # Scoped
</good_example>
agent-docs/FUNCTION-CALLING-TOOL-USE-REFERENCE.md - Tool schema, descriptions, securityagent-docs/CLAUDE-CODE-REFERENCE.md - Plugin structure, MCP configagent-docs/OPENCODE-REFERENCE.md - OpenCode MCP integrationagent-docs/CODEX-REFERENCE.md - Codex MCP config