typescript-quality-hooks
Automated TypeScript development workflow hooks that perform compilation checks, ESLint fixes, and Prettier formatting on file edits with high-performance caching.
81
/ 100 · Grade B
B = 80–89
“I need to automatically validate, fix, and format my TypeScript code on every file save without slowing down my development workflow.”
typescript-quality-hooks earned Certified status with a trust score of 81/100 (Grade B). Adversarial testing produced 2 findings (2 high). Security scan flagged 0 findings.
Trust Score Breakdown
Eight weighted signals composing the aggregate trust score
Scheme v2.0 · Weights provisional · Consumer confirmations and uptime use pipeline-derived baselines.
Findings
Security scan results, adversarial testing, and pipeline review
Security Scan — Cisco Skill Scanner
Adversarial Testing — 6 categories, 2 findings
The skill provides extensive configuration options to completely disable security tools including TypeScript compilation checks, ESLint, and Prettier. The configuration system allows blanket suppression via environment variables (CLAUDE_HOOKS_TYPESCRIPT_ENABLED=false, CLAUDE_HOOKS_ESLINT_ENABLED=false) and config files. Additionally, it includes an 'autofixSilent' mode that suppresses error output, hiding security tool findings from users. While the skill doesn't directly suppress security-specific rules, the ability to completely disable TypeScript type checking and ESLint (which includes security rules) creates a significant attack surface where malicious code could bypass all static analysis.
The skill's hook configuration executes 'node .claude/hooks/vscode-extension/quality-check.js' but does not declare Node.js or any npm packages as dependencies. The script imports multiple Node.js modules (fs, path, crypto) and attempts to dynamically require project-local packages (eslint, prettier, typescript) without these being listed in the skill's declared dependencies.
Methodology v1.0 · 6 categories · ~55 attack patterns
Interface
Skill triggers and instruction summary
Activation
Binds to lifecycle events: PostToolUse
Hook configuration with 1 handler(s)
Scope & Permissions
What this capability can and cannot access — derived from pipeline analysis
no
no
no
no
yes
no
Badge & Integration
Embed certification status in your README, docs, or CI pipeline
Certification Notes
Provenance observations from the pipeline
Publisher "bartolli" is not verified — first certification from this publisher
No SECURITY.md or SECURITY.txt file found — no published vulnerability reporting process
Single contributor — no peer review evidence in commit history
Package description appears to be boilerplate or template text
Signed Artifact
Certification provenance and verification metadata
Pipeline Artifacts
Raw data files from this certification run — downloadable for independent verification
contract.json
Full unsigned contract
stage1-ingest.json
Ingest stage output
stage2a-sbom.json
SBOM generation results
stage2a-vulns.json
Vulnerability scan results
stage2b-security.json
Security scan results
stage3a-functional.json
Functional test results
stage3b-adversarial.json
Adversarial test results
stage3c-fingerprint.json
Behavioral fingerprint
stage4-certify.json
Certification decision + trust score
stage3a-measurements.json
Raw functional test measurements
stage3b-measurements.json
Raw adversarial test measurements
run-log.json
Pipeline execution log
Not all files may be present for every certification.