Automated audit: This issue was generated by NLPM, a natural language programming linter, running via claude-code-action. Please evaluate the findings on their merits.
About NLPM
NLPM is a natural-language programming linter for Claude Code plugins. It scores NL artifacts on a 100-point scale, checks for missing or malformed frontmatter, scans executable surfaces for security risks, and verifies cross-component consistency. This plugin scored 66/100 at audit time.
Summary
The audit found 9 bugs across two categories: missing command frontmatter fields (systemic across all 8 commands) and two low/medium security issues in the installer and share scripts. No critical or high severity security issues were found — the plugin received a CLEAR security gate decision.
Bugs Found
Priority 1: Missing name field in command frontmatter (affects all 8 commands)
Every command in the plugin has a description field in its YAML frontmatter but is missing the required name field. Without name, command registration may be incomplete in environments that rely on explicit name lookup rather than filename inference.
| # |
File |
Status |
| 1 |
commands/diff-review.md |
Addressed in PR #43 |
| 2 |
commands/fact-check.md |
Addressed in PR #43 |
| 3 |
commands/generate-slides.md |
Addressed in PR #43 |
| 4 |
commands/generate-visual-plan.md |
Addressed in PR #43 |
| 5 |
commands/generate-web-diagram.md |
Addressed in PR #43 |
| 6 |
commands/plan-review.md |
Addressed in PR #43 |
| 7 |
commands/project-recap.md |
Addressed in PR #43 |
Priority 2: share.md has no YAML frontmatter at all
commands/share.md is formatted as README documentation (markdown headings, code fences, prose sections) rather than as a command template. It has neither name nor description in frontmatter, so it will not register correctly as a slash command and diverges from the convention used by every other command in the plugin.
| # |
File |
Status |
| 8 |
commands/share.md — missing name |
Addressed in PR #47 |
| 9 |
commands/share.md — missing description |
Addressed in PR #47 |
Security Fixes (Medium/Low only)
| # |
File |
Severity |
Issue |
Status |
| S1 |
plugins/visual-explainer/scripts/share.sh |
Medium |
Deployed HTML is public with no pre-deploy warning |
Addressed in PR #45 |
| S2 |
install-pi.sh |
Low |
sed used | delimiter; breaks silently if $HOME contains | |
Addressed in PR #45 |
Pull Requests
Notes
This is an automated contribution. All PRs make minimal, targeted changes matching the existing code style. No quality/style issues were included — only verified bugs and safe security improvements. Please review each PR on its merits and feel free to close or modify as you see fit. The plugin is well-structured overall; these are small gaps in an otherwise solid implementation.
About NLPM
NLPM is a natural-language programming linter for Claude Code plugins. It scores NL artifacts on a 100-point scale, checks for missing or malformed frontmatter, scans executable surfaces for security risks, and verifies cross-component consistency. This plugin scored 66/100 at audit time.
Summary
The audit found 9 bugs across two categories: missing command frontmatter fields (systemic across all 8 commands) and two low/medium security issues in the installer and share scripts. No critical or high severity security issues were found — the plugin received a CLEAR security gate decision.
Bugs Found
Priority 1: Missing
namefield in command frontmatter (affects all 8 commands)Every command in the plugin has a
descriptionfield in its YAML frontmatter but is missing the requirednamefield. Withoutname, command registration may be incomplete in environments that rely on explicit name lookup rather than filename inference.commands/diff-review.mdcommands/fact-check.mdcommands/generate-slides.mdcommands/generate-visual-plan.mdcommands/generate-web-diagram.mdcommands/plan-review.mdcommands/project-recap.mdPriority 2:
share.mdhas no YAML frontmatter at allcommands/share.mdis formatted as README documentation (markdown headings, code fences, prose sections) rather than as a command template. It has neithernamenordescriptionin frontmatter, so it will not register correctly as a slash command and diverges from the convention used by every other command in the plugin.commands/share.md— missingnamecommands/share.md— missingdescriptionSecurity Fixes (Medium/Low only)
plugins/visual-explainer/scripts/share.shinstall-pi.shsedused|delimiter; breaks silently if$HOMEcontains|Pull Requests
name:to 7 command filesNotes
This is an automated contribution. All PRs make minimal, targeted changes matching the existing code style. No quality/style issues were included — only verified bugs and safe security improvements. Please review each PR on its merits and feel free to close or modify as you see fit. The plugin is well-structured overall; these are small gaps in an otherwise solid implementation.