Automated audit: This issue was generated by NLPM, a natural language programming linter, running via claude-code-action. Please evaluate the findings on their merits.
About NLPM
NLPM (Natural Language Programming Manager) is a static linter for Claude Code plugins. It scores NL artifacts (commands, skills, agent definitions) on a 100-point scale, checks for structural bugs, and scans executable surfaces for security risks. This audit was run against commit 9a97a58 (v0.6.3).
Overall score: 66/100. The plugin's core skill (SKILL.md) scores well at 88/100, and the two plugin.json manifests are perfect. The main gap is a systemic missing name field across all 8 command frontmatter blocks — a single-line fix per file.
Bugs found
| # |
File |
Issue |
Priority |
| 1–7 |
commands/{diff-review,fact-check,generate-slides,generate-visual-plan,generate-web-diagram,plan-review,project-recap}.md |
Missing name field in YAML frontmatter |
High |
| 8–9 |
commands/share.md |
No YAML frontmatter at all — formatted as README, not a command template; neither name nor description present |
High |
The missing name field is systemic across every command. Without it, command registration may be incomplete in environments that use this field for routing or display. share.md is the most severe case: the entire file needs to be converted from README-style documentation to a command template.
Security improvements (Medium/Low only)
| # |
File |
Issue |
Severity |
| 1 |
install-pi.sh:13 |
git clone fetches from the default branch at runtime — supply-chain compromise of upstream would silently affect all installers |
Medium |
| 2 |
plugins/visual-explainer/scripts/share.sh:54 |
No pre-deploy warning that the deployed HTML file is publicly accessible |
Medium |
| 3 |
install-pi.sh:28–30 |
sed uses | as delimiter while interpolating $HOME; breaks silently if $HOME contains | |
Low |
No Critical or High severity findings were detected.
Pull requests submitted
- #43 — fix: add missing name field to all command frontmatter blocks — adds
name: <slug> to the 7 commands that have description but no name
- #44 — fix: rewrite share.md as a command template with YAML frontmatter — converts
share.md from README documentation to a working command template
- #45 — fix: harden install-pi.sh and share.sh against supply-chain and data-exposure risks — pins git clone to v0.6.3, fixes sed delimiter, adds public-deployment warning
Each PR is minimal and self-contained — no style changes, no refactoring. Please feel free to close any that don't match your intent for the project. Thank you for building visual-explainer!
About NLPM
NLPM (Natural Language Programming Manager) is a static linter for Claude Code plugins. It scores NL artifacts (commands, skills, agent definitions) on a 100-point scale, checks for structural bugs, and scans executable surfaces for security risks. This audit was run against commit
9a97a58(v0.6.3).Overall score: 66/100. The plugin's core skill (
SKILL.md) scores well at 88/100, and the twoplugin.jsonmanifests are perfect. The main gap is a systemic missingnamefield across all 8 command frontmatter blocks — a single-line fix per file.Bugs found
commands/{diff-review,fact-check,generate-slides,generate-visual-plan,generate-web-diagram,plan-review,project-recap}.mdnamefield in YAML frontmattercommands/share.mdnamenordescriptionpresentThe missing
namefield is systemic across every command. Without it, command registration may be incomplete in environments that use this field for routing or display.share.mdis the most severe case: the entire file needs to be converted from README-style documentation to a command template.Security improvements (Medium/Low only)
install-pi.sh:13git clonefetches from the default branch at runtime — supply-chain compromise of upstream would silently affect all installersplugins/visual-explainer/scripts/share.sh:54install-pi.sh:28–30seduses|as delimiter while interpolating$HOME; breaks silently if$HOMEcontains|No Critical or High severity findings were detected.
Pull requests submitted
name: <slug>to the 7 commands that havedescriptionbut nonameshare.mdfrom README documentation to a working command templateEach PR is minimal and self-contained — no style changes, no refactoring. Please feel free to close any that don't match your intent for the project. Thank you for building visual-explainer!