NLPM automated audit: 3 low-severity security improvements found

[xiaolai]

Automated audit: This issue was generated by NLPM, a natural language programming linter, running via claude-code-action. Please evaluate the findings on their merits.

About this audit

NLPM is a natural language programming linter that scores Claude Code plugin artifacts (commands, skills, agents) on a 100-point scale and identifies mechanical bugs and security issues. It audited this repo as part of a broader survey of Claude Code plugin projects.

Audit results:

• NL Score: 96/100 — excellent quality
• Bugs found: 0 — no missing frontmatter or broken cross-references
• Security findings: 4 Low-severity issues (no Critical or High)

This project is genuinely well-structured. The 3 PRs below address only the security findings; no quality issues are being proposed.

Security Findings

All findings are Low severity (no code execution risk).

#	File	Issue	PR
1	skills/dev-lifecycle/scripts/check-status.sh	FEATURE arg interpolated into file paths without validation — allows path traversal with read-only risk	#66
2	package.json	devDependencies use ^ ranges — supply chain window on fresh installs without lock file	#67
3	packages/cli/package.json	Runtime dependencies use ^ ranges — end users installing the published package don't have the lock file	#68

(Finding #4 — documenting husky's prepare hook in README — was not PR'd since it's documentation-only and the risk is minimal.)

PRs Created

• #66 — fix(security): validate FEATURE arg in check-status.sh
• #67 — fix(security): pin root devDependencies to exact versions
• #68 — fix(security): pin packages/cli runtime dependencies to exact versions

Each PR is minimal and matches the existing repo style. Please close any PR you disagree with — the goal is to surface findings, not to impose changes. Thank you for building and maintaining this project!

[linhvuquach]

good work mate