Understand how to evaluate plugin safety and our transparency-first trust model.
Unlike traditional plugin ecosystems that gatekeep with strict approval processes, we believe in transparency over gatekeeping. Every plugin with a valid manifest is automatically approved - no waiting, no arbitrary rules.
Trust Through Transparency
We provide clear safety information, trust signals, and direct source code access so you can make informed decisions. Quality is indicated through community validation (stars), maintenance scores, and manual reviews - not by blocking plugins.
Plugins can include powerful features that require careful consideration:
Execute scripts automatically at workflow lifecycle points
What hooks can do:
Available hook events (10 total):
PreToolUsePostToolUsePermissionRequestUserPromptSubmitNotificationSessionStartSessionEndStopSubagentStopPreCompactWhy this matters: Hooks run automatically without prompting. Review the hook scripts in the repository before installing to understand what they do.
Connect to external services, APIs, and data sources via Model Context Protocol
What MCP servers can do:
Transport types:
Why this matters: MCP servers access external services with your credentials. Only provide API keys to plugins you trust, and use read-only tokens when possible.
Plugins marked as "strict" follow best practices and require a valid manifest file
Strict mode means:
plugin.json manifestStrict mode is the default setting ("strict": true). Non-strict plugins can omit the manifest file and rely on marketplace configuration, but require more careful review.
Use these trust signals to make informed decisions:
Community validation and popularity indicator
Interpretation: 10+ stars indicates trusted by multiple developers
Based on last commit date and activity
Interpretation: Score of 7-10 means actively maintained (commits within 90 days)
Manually reviewed by marketplace admins
Interpretation: Verified for quality, documentation, and best practices
Every plugin links to its GitHub repository
Interpretation: Review the source code before installing
Review the source code
Click through to the GitHub repository and review what the plugin does. Look at the manifest, hooks, and any scripts.
Check for hooks and MCP servers
Plugin detail pages show clear badges. If present, review what they do before installing.
Check trust signals
Look for GitHub stars (10+), high maintenance scores (7-10), and manual review badges.
Verify the author
Check the GitHub repository owner. Is it a known developer or organization? Do they have other reputable projects?
Check maintenance status
Recently maintained plugins (commits within 90 days) are more likely to be secure and compatible with the latest Claude Code version.
Remember: You're in control
Plugins can be enabled/disabled anytime with /plugin disable plugin-name and removed with /plugin uninstall plugin-name. Start with trusted plugins and expand as you get comfortable.
Use read-only tokens when possible
When configuring MCP servers that need API keys, use read-only or limited-scope tokens to minimize risk.
Review hook scripts before installation
Hooks run automatically. Always review the scripts in the repository to understand what they do.
Start with reviewed plugins
Plugins with the manual review badge have been vetted for quality and safety by marketplace admins.
Keep plugins updated
Plugin authors may release security updates. Check repositories for updates periodically.
Now that you understand plugin safety, learn how to build your own plugins with our creator guide.