Bump scan-plugins action pin to include L11/L12 fixes

Wire scan-plugins to the detailed policy prompt
Adds .github/policy/prompt.md and schema.json (the full security review rubric — malicious code, privacy, deception, safety circumvention, exfiltration; plus network-call and software-install flags) and points scan-plugins at it via the policy-prompt input. With ANTHROPIC_API_KEY now configured on the repo, scan-plugins runs the actual policy review on changed external entries instead of no-op'ing.
2026-05-11 14:42:39 +00:00 · 2026-05-07 19:10:45 +00:00 · 2026-05-07 19:07:08 +00:00 · 2026-05-07 18:46:18 +00:00 · 2026-05-07 18:43:37 +00:00
2 changed files with 83 additions and 3 deletions
--- a/.claude-plugin/marketplace.json
+++ b/.claude-plugin/marketplace.json
@@ -39,6 +39,17 @@
      },
      "homepage": "https://github.com/adobe/skills/tree/main/plugins/creative-cloud/adobe-for-creativity"
    },
+    {
+      "name": "adspirer-ads-agent",
+      "description": "Cross-platform ad management for Google Ads, Meta Ads, TikTok Ads, and LinkedIn Ads. 91 tools for keyword research, campaign creation, performance analysis, and budget optimization.",
+      "category": "productivity",
+      "source": {
+        "source": "url",
+        "url": "https://github.com/amekala/adspirer-mcp-plugin.git",
+        "sha": "c40623f1aa7b568e960d3f2e2558a6fcf10e6c18"
+      },
+      "homepage": "https://www.adspirer.com"
+    },
    {
      "name": "agent-sdk-dev",
      "description": "Development kit for working with the Claude Agent SDK",
@@ -205,6 +216,16 @@
      },
      "homepage": "https://auth0.com/docs/quickstart/agent-skills"
    },
+    {
+      "name": "autofix-bot",
+      "description": "Code review agent that detects security vulnerabilities, code quality issues, and hardcoded secrets. Combines 5,000+ static analyzers to scan your code and dependencies for CVEs.",
+      "author": {
+        "name": "DeepSource Corp"
+      },
+      "category": "security",
+      "source": "./external_plugins/autofix-bot",
+      "homepage": "https://github.com/anthropics/claude-plugins-public/tree/main/external_plugins/autofix-bot"
+    },
    {
      "name": "aws-agents",
      "description": "Build, deploy, and operate AI agents on AWS. Skills for scaffolding agents with Amazon Bedrock AgentCore, connecting tools, memory, policies, evaluation, debugging, and production hardening.",
@@ -1271,6 +1292,16 @@
      },
      "homepage": "https://github.com/makenotion/claude-code-notion-plugin"
    },
+    {
+      "name": "optibot",
+      "description": "AI code review that catches production-breaking bugs, business logic issues, and security vulnerabilities — directly in Claude Code.",
+      "source": {
+        "source": "url",
+        "url": "https://github.com/Optimal-AI/optibot-skill.git",
+        "sha": "ce2be448ee713606aa653fc93ef2f98a200fe327"
+      },
+      "homepage": "https://getoptimal.ai"
+    },
    {
      "name": "oracle-ai-data-platform-workbench-spark-connectors",
      "description": "Oracle AI Data Platform Workbench Spark connectors for Claude Code. 18 connector skills covering every data source workbench customers commonly need: Oracle Autonomous DB family (ALH/ADW/ATP) via wallet/IAM-DB-Token/API-key, ExaCS, Fusion ERP REST, Fusion BICC, EPM Cloud Planning, Essbase 21c, OCI Streaming (Kafka), OCI Object Storage, Apache Iceberg, plus external systems (PostgreSQL, MySQL/HeatWave, SQL Server, Snowflake, Azure ADLS Gen2, AWS S3, generic REST, custom JDBC, Excel). Live-validated on the workbench `tpcds` cluster (Spark 3.5.0): 17 PASS / 4 ship-as-is out of 21 test rows.",
@@ -1906,8 +1937,57 @@
      "source": {
        "source": "url",
        "url": "https://github.com/twilio/ai.git",
-        "sha": "0713fb1f40b5e871cad4c1c99f603c812431692a"
+        "sha": "137c4679855d31115a8509b93a3887b8bb317da9"
      },
+      "strict": false,
+      "skills": [
+        "./skills/sendgrid/twilio-sendgrid-account-setup",
+        "./skills/sendgrid/twilio-sendgrid-deliverability-advisor",
+        "./skills/sendgrid/twilio-sendgrid-email-send",
+        "./skills/sendgrid/twilio-sendgrid-email-settings",
+        "./skills/sendgrid/twilio-sendgrid-engagement-quality",
+        "./skills/sendgrid/twilio-sendgrid-inbound-parse",
+        "./skills/sendgrid/twilio-sendgrid-suppressions",
+        "./skills/sendgrid/twilio-sendgrid-webhooks",
+        "./skills/twilio/twilio-account-setup",
+        "./skills/twilio/twilio-call-recordings",
+        "./skills/twilio/twilio-cli-reference",
+        "./skills/twilio/twilio-compliance-onboarding",
+        "./skills/twilio/twilio-compliance-traffic",
+        "./skills/twilio/twilio-conference-calls",
+        "./skills/twilio/twilio-content-template-builder",
+        "./skills/twilio/twilio-conversations-classic-api",
+        "./skills/twilio/twilio-debugging-observability",
+        "./skills/twilio/twilio-email-deliverability-advisor",
+        "./skills/twilio/twilio-iam-auth-setup",
+        "./skills/twilio/twilio-identity-verification-advisor",
+        "./skills/twilio/twilio-lookup-phone-intelligence",
+        "./skills/twilio/twilio-marketing-promotions-advisor",
+        "./skills/twilio/twilio-messaging-channel-advisor",
+        "./skills/twilio/twilio-messaging-overview",
+        "./skills/twilio/twilio-messaging-services",
+        "./skills/twilio/twilio-messaging-webhooks",
+        "./skills/twilio/twilio-notifications-alerts-advisor",
+        "./skills/twilio/twilio-numbers-senders",
+        "./skills/twilio/twilio-organizations-setup",
+        "./skills/twilio/twilio-rcs-messaging",
+        "./skills/twilio/twilio-regulatory-compliance-bundles",
+        "./skills/twilio/twilio-reliability-patterns",
+        "./skills/twilio/twilio-security-api-auth",
+        "./skills/twilio/twilio-security-compliance-hipaa",
+        "./skills/twilio/twilio-security-hardening",
+        "./skills/twilio/twilio-send-message",
+        "./skills/twilio/twilio-sms-isv-setup",
+        "./skills/twilio/twilio-sms-send-message",
+        "./skills/twilio/twilio-taskrouter-routing",
+        "./skills/twilio/twilio-verify-send-otp",
+        "./skills/twilio/twilio-voice-conversation-relay",
+        "./skills/twilio/twilio-voice-outbound-calls",
+        "./skills/twilio/twilio-voice-twiml",
+        "./skills/twilio/twilio-webhook-architecture",
+        "./skills/twilio/twilio-whatsapp-manage-senders",
+        "./skills/twilio/twilio-whatsapp-send-message"
+      ],
      "homepage": "https://www.twilio.com"
    },
    {
@@ -2063,7 +2143,7 @@
        "url": "https://github.com/zapier/zapier-mcp.git",
        "path": "plugins/zapier",
        "ref": "main",
-        "sha": "f34a7854febed415c9ef766eec1c66529ef0668e"
+        "sha": "76c4669321847c8f72a6e0462c17f29fd437519a"
      },
      "homepage": "https://github.com/zapier/zapier-mcp/tree/main/plugins/zapier"
    },
--- a/.github/workflows/validate-frontmatter.yml
+++ b/.github/workflows/validate-frontmatter.yml
@@ -17,7 +17,7 @@ jobs:
    steps:
      - uses: actions/checkout@v4

-      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 (sha-pinned)
+      - uses: oven-sh/setup-bun@v2

      - name: Install dependencies
        run: cd .github/scripts && bun install yaml
Author	SHA1	Message	Date
tobin	6873b91bec	Bump scan-plugins action pin to include L11/L12 fixes	2026-05-07 19:10:45 +00:00
tobin	a3e148345f	Wire scan-plugins to the detailed policy prompt Adds .github/policy/prompt.md and schema.json (the full security review rubric — malicious code, privacy, deception, safety circumvention, exfiltration; plus network-call and software-install flags) and points scan-plugins at it via the policy-prompt input. With ANTHROPIC_API_KEY now configured on the repo, scan-plugins runs the actual policy review on changed external entries instead of no-op'ing.	2026-05-07 19:07:08 +00:00
tobin	040af8dbf6	Remove 5 external entries that fail validation at HEAD Step 30 (clone at pinned SHA + claude plugin validate) fails for these at their current HEAD: aiven Unrecognized key "logo" in plugin.json atlassian-forge-skills skill YAML frontmatter parse error sagemaker-ai skill YAML frontmatter parse error speakai no plugin manifest at repo root stagehand no plugin manifest at repo root These can be re-added once the upstream repos are fixed.	2026-05-07 18:46:18 +00:00
tobin	59b0022c57	Adopt validate-plugins action suite; pin all external SHAs Replaces the hand-rolled marketplace validator and bot-based bump workflow with the shared composite actions (pinned at f846a0b). marketplace.json: - 62 external entries that were missing a `sha` are now pinned to their current upstream HEAD (resolved via git ls-remote). Workflows: - validate-plugins.yml: invariants I1-I11 + claude plugin validate + diff-gated clone-at-SHA validation of changed external entries. SHA-pin (I5) is a hard error. I8/I11 stay warnings until the 15 known data issues (vendored dirs without manifests; one dotted name) are cleaned up. - bump-plugin-shas.yml: bot-free weekly refresh. Validates each new SHA with claude plugin validate before opening one PR; works with the default GITHUB_TOKEN (contents:write + pull-requests:write). - scan-plugins.yml: Claude policy scan of changed external entries. Non-blocking; graceful no-op if ANTHROPIC_API_KEY isn't set. Removed: - validate-marketplace.yml + the two TS helper scripts (superseded by step 11/20 of validate-plugins). validate-frontmatter.yml is kept — it's complementary (targeted checks on agent/skill/command files for in-repo plugins).	2026-05-07 18:43:37 +00:00