-
-
Notifications
You must be signed in to change notification settings - Fork 294
.pr_agent_accepted_suggestions
| PR 511 (2026-04-06) |
[correctness] Orphaned external sync source
Orphaned external sync source
Adding `tonone` only to `sources.yaml` will sync files into `plugins/ai-agency/tonone` but it will not be installable/discoverable via the marketplace because marketplace installs are driven by `.claude-plugin/marketplace*.json`, and the external sync workflow does not auto-create new catalog entries.A new external sync source (tonone) was added to sources.yaml, but there is no corresponding entry in .claude-plugin/marketplace.extended.json. As a result, the plugin can be synced into plugins/ai-agency/tonone yet remain undiscoverable/uninstallable via the marketplace catalog.
- External sync pulls files into
target_path, but the marketplace catalog is a separate source of truth for/plugin install. - The sync workflow only runs
scripts/sync-marketplace.cjs, which sanitizes/exports an existing catalog; it does not create new plugin entries.
- sources.yaml[705-730]
- .claude-plugin/marketplace.extended.json[1-999999]
- Add a new plugin object to
.claude-plugin/marketplace.extended.jsonwith at least:
-
name: (ensure it matches the intended install name) -
source:./plugins/ai-agency/tonone -
description,version,category:ai-agency -
author,repository:https://github.com/tonone-ai/tonone -
license:MIT
- Regenerate
.claude-plugin/marketplace.jsonby running the existing sync script (node scripts/sync-marketplace.cjs) and commit the updated generated file.
| PR 510 (2026-04-06) |
[correctness] `name: claudebase` casing mismatch
`name: claudebase` casing mismatch
The new `sources.yaml` entry uses `name: claudebase`, but the checklist requires the plugin name to be recorded as `Claudebase`. This can cause the external sync listing to fail validation or not match expected metadata.The sources.yaml entry for Claudebase uses name: claudebase, but the compliance checklist requires the name to be recorded as Claudebase.
This impacts external plugin sync metadata matching/validation per the PR compliance checklist.
- sources.yaml[707-710]
[correctness] `category` not required value
`category` not required value
The Claudebase entry sets `category: productivity`, but the checklist requires the category to be `Productivity / Config Management`. This can misclassify the plugin in the external sync metadata and discovery surfaces.The Claudebase entry in sources.yaml is categorized as productivity, but the compliance checklist requires Productivity / Config Management.
This category value is used for external plugin sync metadata and user discovery.
- sources.yaml[715-717]
| PR 509 (2026-04-06) |
[correctness] `allowed-tools` uses `Bash(curl:*)`
`allowed-tools` uses `Bash(curl:*)`
The new `SKILL.md` frontmatter sets `allowed-tools` to values like `Bash(curl:*)`, `Bash(npm:*)`, and `Bash(npx:*)`, which are not in the allowed tool identifier set. This will fail skill validation and break compatibility with tooling that expects only supported tool IDs.plugins/automation/tweetclaw/skills/tweetclaw/SKILL.md sets allowed-tools to unsupported/parameterized values like Bash(curl:*), but compliance requires allowed-tools to list only valid tool identifiers (e.g., Bash).
This will likely fail marketplace/skill validation and may prevent the skill from loading in downstream tooling.
- plugins/automation/tweetclaw/skills/tweetclaw/SKILL.md[1-11]
[correctness] MCP tools not discoverable
MCP tools not discoverable
TweetClaw advertises two MCP tools (`explore`, `tweetclaw`), but the plugin manifest does not declare any `mcpServers`, so installing from this repo will not expose those MCP tools to Claude via normal discovery.TweetClaw documentation advertises two MCP tools, but the plugin as shipped in this repo does not declare any MCP server configuration (no mcpServers in plugin.json and no .mcp.json wiring). Users installing the marketplace plugin will not get the advertised MCP tools.
In this repo, MCP tools are only discoverable when an MCP server is declared via mcpServers or a discovered .mcp.json at the plugin root.
- plugins/automation/tweetclaw/skills/tweetclaw/SKILL.md[17-20]
- plugins/automation/tweetclaw/README.md[31-37]
- plugins/automation/tweetclaw/.claude-plugin/plugin.json[1-23]
Choose one:
-
Implement/ship MCP wiring: add
.mcp.json(ormcpServersin plugin.json) that actually enables theexploreandtweetclawtools for this plugin distribution, or - Make docs accurate for this repo: remove/qualify the MCP tool claims from SKILL.md/README (e.g., “available in the hosted MCP setup; not included in this marketplace package”) and point to the exact setup steps required.
[correctness] Install instructions mismatch
Install instructions mismatch
README installation instructions use `openclaw plugins install @xquik/tweetclaw` / `npx skills add ...`, which does not match this marketplace’s `/plugin install @claude-code-plugins-plus` convention, so users following the README likely won’t install the marketplace version they’re viewing.The tweetclaw README’s installation section does not reflect how users install plugins from this marketplace repo, which will cause failed installs or installs from an unrelated distribution channel.
Other plugins in this repository document the standard marketplace installation command (/plugin install ...@claude-code-plugins-plus).
- plugins/automation/tweetclaw/README.md[7-15]
Update the Installation section to include (at minimum) the marketplace install command, e.g.:
-
/plugin install tweetclaw@claude-code-plugins-plusOptionally keep the OpenClaw/npx instructions under a clearly labeled “Alternative installs” section if they are valid, but don’t make them the primary path for this marketplace plugin.
[security] Excessive skill permissions
Excessive skill permissions
The tweetclaw skill grants Write/Edit plus unrestricted npm/npx execution even though the documented workflow in SKILL.md is entirely curl/WebFetch-based, expanding the permission surface beyond what’s described for this plugin.The skill frontmatter requests broader tool permissions than are needed for the documented behavior (HTTP calls). This increases risk if the skill is invoked in sensitive repos/environments.
The examples in SKILL.md use curl/WebFetch-style network calls and do not describe any need to modify local files or run npm/npx.
- plugins/automation/tweetclaw/skills/tweetclaw/SKILL.md[1-6]
Narrow allowed-tools to the minimum set required for the advertised workflows (likely Read, Bash(curl:*), WebFetch), and remove Write, Edit, Bash(npm:*), and Bash(npx:*) unless they are genuinely required and explicitly documented in the skill steps.
| PR 508 (2026-04-06) |
[reliability] `marketplace.json` missing `shipwright`
`marketplace.json` missing `shipwright`
`.claude-plugin/marketplace.extended.json` adds the `shipwright` plugin, but the generated `.claude-plugin/marketplace.json` was not regenerated and still ends without that entry. This will break CI/validation because the catalogs are out of sync..claude-plugin/marketplace.extended.json was updated with the new shipwright plugin, but the generated .claude-plugin/marketplace.json was not regenerated, leaving the catalogs out of sync.
CI expects .claude-plugin/marketplace.json to be deterministically generated from .claude-plugin/marketplace.extended.json (extended is source of truth).
- .claude-plugin/marketplace.extended.json[11123-11153]
- .claude-plugin/marketplace.json[8006-8034]
[correctness] Command name mismatch
Command name mismatch
Shipwright’s README and command docs advertise commands like `/shipwright:build`, but the command frontmatter defines the command name as `shipwright-build` (and similarly for the other commands), so the documented slash commands won’t exist.Shipwright documents slash commands using a colon namespace (e.g. /shipwright:build), but the command frontmatter names are shipwright-build, shipwright-enhance, etc. Users following the docs will invoke non-existent commands.
In this repo, the command invoked is /<frontmatter name> (see formatter: name: format and README /format).
Pick one consistent convention:
- Recommended: Keep frontmatter names as-is and update docs/headings to match:
-
/shipwright-build,/shipwright-enhance,/shipwright-stacks,/shipwright-projects - Update both README and each command file H1.
(Alternative: rename command frontmatter + filenames to
build,enhance, etc., but that risks collisions with other plugins.)
- plugins/ai-agency/shipwright/README.md[13-17]
- plugins/ai-agency/shipwright/commands/shipwright-build.md[1-9]
- plugins/ai-agency/shipwright/commands/shipwright-enhance.md[1-8]
- plugins/ai-agency/shipwright/commands/shipwright-stacks.md[1-8]
- plugins/ai-agency/shipwright/commands/shipwright-projects.md[1-8]
| PR 506 (2026-04-03) |
[maintainability] Direct edit `marketplace.json`
Direct edit `marketplace.json`
This PR directly modifies `.claude-plugin/marketplace.json`, which is a listed auto-generated marketplace artifact and should not be edited directly. This can cause drift from the generator output and lead to CI failures.The PR directly edits .claude-plugin/marketplace.json, which is a generated artifact and must not be hand-modified.
Only the source-of-truth file should be edited, and generated marketplace artifacts should be updated via the documented generator scripts to avoid drift/CI failures.
- .claude-plugin/marketplace.json[8007-8025]
[correctness] Invalid `allowed-tools` values
Invalid `allowed-tools` values
The `allowed-tools` frontmatter includes non-allowed tool identifiers like `Bash(uv:*)`, `Bash(ffmpeg:*)`, and `Bash(python:*)`, which are not in the permitted tool list. This will fail skill schema validation and can break tooling that relies on the allowed tool set.allowed-tools contains invalid tool identifiers (e.g., Bash(uv:*)) that are not part of the approved allowed-tools set.
The compliance checklist allows only these tool names in allowed-tools: Read, Write, Edit, Bash, Glob, Grep, WebFetch, WebSearch, Task, TodoWrite, NotebookEdit, AskUserQuestion, Skill.
- plugins/community/framecraft/skills/demo-video/SKILL.md[8-8]
[reliability] Skill missing required sections
Skill missing required sections
plugins/community/framecraft/skills/demo-video/SKILL.md is missing enterprise-required headings (e.g., "## Instructions", "## Error Handling", "## Examples", "## Resources"), which will fail validation in CI because the validator auto-selects the enterprise tier and treats missing required sections as errors.plugins/community/framecraft/skills/demo-video/SKILL.md fails enterprise-tier validation in CI because it is missing required body sections (enterprise tier treats missing sections as errors).
The repository's skill validator auto-selects the enterprise tier in CI and requires specific headings to exist (H1 plus several ## ... sections). The new skill currently has ## Installation, ## How It Works, and ## Repository, but is missing ## Instructions, ## Error Handling, ## Examples, and ## Resources.
- plugins/community/framecraft/skills/demo-video/SKILL.md[15-72]
- scripts/validate-skills-schema.py[1486-1494]
- scripts/validate-skills-schema.py[3020-3032]
- Add the missing headings exactly as required by the validator:
-
## Instructions(convert/merge content from Installation/How It Works into step-by-step instructions) -
## Error Handling(common failure modes: missing ffmpeg, playwright install issues, MCP server not running) -
## Examples(at least one concrete example invocation) -
## Resources(move the repository link here; include any docs links)
- Keep the existing content but reorganize it under the required headings so the validator sees the exact section titles.
[maintainability] Install docs omit marketplace slug
Install docs omit marketplace slug
framecraft docs instruct `claude plugin install framecraft` (no marketplace slug), while other marketplace plugins include `@claude-code-plugins-plus`; omitting the slug can cause installs to fail or resolve the wrong source if the marketplace/slug isn’t already configured as expected.plugins/community/framecraft/README.md and the skill file instruct installation without a marketplace slug, which is inconsistent with the repo’s documented install flow and other plugin docs.
Other plugins show:
- add marketplace:
claude plugin marketplace add jeremylongshore/claude-code-plugins - install with slug:
claude plugin install <name>@claude-code-plugins-plus
- plugins/community/framecraft/README.md[11-21]
- plugins/community/framecraft/skills/demo-video/SKILL.md[28-40]
- README.md[48-52]
- plugins/packages/ai-ml-engineering-pack/README.md[39-48]
- Change the README and SKILL installation snippets to include the marketplace add step (if appropriate) and install using
framecraft@claude-code-plugins-plus. - Optionally include the
/plugin install framecraft@claude-code-plugins-plusform as well, since the root README documents that flow.
tonsofskills.com | GitHub | Discussions | Report Issue | v4.17.0
SKILL.md Specification Skill Template Skill Creator
- Plugin Structure
- Frontmatter Reference
- Tool Permissions Guide
- Templates & Examples
- Validation & Grading
- MCP Server Plugins
- Playbook Index
- 01 Multi-Agent Rate Limits
- 02 Cost Caps & Budgets
- 03 MCP Reliability
- 04 Ollama Migration
- 05 Incident Debugging
- 06 Self-Hosted Stack
- 07 Compliance & Audit
- 08 Team Presets
- 09 Cost Attribution
- 10 Progressive Enhancement
- 11 Advanced Tool Use