Understand how to evaluate plugin safety and our transparency-first trust model.
Unlike traditional plugin ecosystems that gatekeep with strict approval processes, we believe in transparency over gatekeeping. Every plugin with a valid manifest is automatically approved — no waiting, no arbitrary rules.
Trust Through Transparency
We provide clear safety information, trust signals, and direct source code access so you can make informed decisions. Quality is indicated through community validation (stars), maintenance scores, and manual reviews — not by blocking plugins.
Understanding the difference between guidance and enforcement helps you choose the right protection mechanism.
Instructions in CLAUDE.md that Claude follows as best practice. Loaded with each session and interpreted contextually.
Behavior: Claude follows these rules voluntarily. Strong competing context or explicit user instructions may override them.
Hooks execute code at lifecycle points regardless of Claude's interpretation or user prompts.
Behavior: If exit code is 2, the operation is blocked unconditionally. Cannot be bypassed through prompting.
When to Use Each
Use CLAUDE.md for project conventions and preferences. Use hooks for security-critical enforcement where you need guarantees regardless of context.
Plugins can include powerful features that require careful consideration.
Execute scripts automatically at workflow lifecycle points.
What hooks can do:
Available hook events (29 total):
PreToolUsePostToolUsePostToolUseFailurePostToolBatchPermissionRequestUserPromptSubmitUserPromptExpansionNotificationStopStopFailureSubagentStartSubagentStopPreCompactPostCompactSessionStartSetupSessionEndTeammateIdleTaskCompletedInstructionsLoadedConfigChangeWorktreeCreateWorktreeRemoveElicitationElicitationResultPermissionDeniedTaskCreatedCwdChangedFileChangedExit codes:
| Code | Behavior |
|---|---|
| 0 | Allow the operation to proceed |
| 1 | Non-blocking error (logged but continues) |
| 2 | Block the operation and feed stderr back to Claude |
Hook types:
command (default)
Executes bash commands or scripts on your system. The hook runs locally with full shell access and your user permissions.
http (remote)
POSTs the event JSON payload to a configured URL. The target URL must be allowlisted via allowedHttpHookUrls in settings.
prompt (LLM-based)
Sends a prompt to an LLM (Haiku) for intelligent, context-aware decisions. Most useful for Stop and SubagentStop hooks.
agent (agentic)
Runs an agentic verifier with tool access for complex, multi-step verification that's more than a single prompt can handle.
Why this matters: Hooks run automatically without prompting. command hooks execute shell scripts locally, http hooks POST event data to remote URLs, and prompt/agent hooks make LLM calls. Review all hook configurations in the repository before installing.
Connect to external services, APIs, and data sources via Model Context Protocol.
What MCP servers can do:
Transport types:
Why this matters: MCP servers access external services with your credentials. Only provide API keys to plugins you trust, and use read-only tokens when possible.
Controls whether the plugin's own plugin.json or the marketplace entry is authoritative.
plugin.json is authoritative — the marketplace entry can only supplement itThe plugin's own plugin.json is optional — if omitted, Claude Code auto-discovers components from standard directories. The "strict": true flag lives on the marketplace entry, not inside plugin.json.
This hook demonstrates deterministic enforcement by blocking access to sensitive configuration files, regardless of how the request is framed.
#!/bin/bash
# PreToolUse hook: Guard sensitive files
# Exit 0 = allow, Exit 1 = non-blocking error, Exit 2 = block
INPUT=$(cat)
TARGET=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
# Check for protected patterns
case "$TARGET" in
*.env*|*credentials*|*secret*)
echo "Protected file: $TARGET" >&2
exit 2
;;
esac
exit 0{
"hooks": {
"PreToolUse": [{
"matcher": "Read|Edit|Write",
"hooks": [{
"type": "command",
"command": "./hooks/guard-config-files.sh"
}]
}]
}
}Key point: When this hook runs, if the file matches a protected pattern, the exit 2 blocks the operation completely. The stderr message is fed back to Claude for context, but the file access never happens.
Practical examples of hooks you might encounter in plugins. Understanding these patterns helps you evaluate what hooks do before installing.
PreToolUse
Blocks destructive database operations
#!/bin/bash
# Block DROP, TRUNCATE, or simple DELETE statements
INPUT=$(cat)
CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
if echo "$CMD" | grep -qiE \
'(DROP|TRUNCATE|DELETE\s+FROM\s+\w+\s*;)'; then
echo "Blocked: Destructive DB operation" >&2
exit 2
fi
exit 0PostToolUse
Runs Prettier after file edits
#!/bin/bash
# Run formatter after Write/Edit tools
INPUT=$(cat)
FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // empty')
case "$FILE" in
*.ts|*.tsx|*.js|*.jsx)
npx prettier --write "$FILE" 2>/dev/null
;;
esac
exit 0Stop
Desktop notification when Claude finishes
#!/bin/bash
# Send notification when Claude completes a task
# macOS example - adapt for your OS
osascript -e 'display notification \
"Claude finished the task" \
with title "Claude Code"'
exit 0PreToolUse
Prevents direct commits to main/master
#!/bin/bash
# Block direct commits to protected branches
INPUT=$(cat)
CMD=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
if echo "$CMD" | grep -qE \
'git (push|commit).*\b(main|master)\b'; then
echo "Blocked: Use a feature branch" >&2
exit 2
fi
exit 0Exit codes explained: Exit 0 allows the operation, 1 is a non-blocking error, 2 blocks the operation and feeds the error message back to Claude.
Use these trust signals to make informed decisions.
| Signal | What it means |
|---|---|
| GitHub Stars | Community validation and popularity indicator |
| Maintenance Score | Based on last commit date and activity |
| Manual Review | Manually reviewed by marketplace admins |
| Source Code Access | Every plugin links to its GitHub repository |
Review the source code
Click through to the GitHub repository and review what the plugin does. Look at the manifest, hooks, and any scripts.
Check for hooks and MCP servers
Plugin detail pages show clear indicators. If present, review what they do before installing.
Check trust signals
Look for GitHub stars (10+), high maintenance scores (7-10), and manual review badges.
Verify the author
Check the GitHub repository owner. Is it a known developer or organization? Do they have other reputable projects?
Check maintenance status
Recently maintained plugins (commits within 90 days) are more likely to be secure and compatible with the latest Claude Code version.
Remember: You're in control
Plugins can be enabled/disabled anytime with /plugin disable plugin-name and removed with /plugin uninstall plugin-name. Start with trusted plugins and expand as you get comfortable.
Use read-only tokens when possible
When configuring MCP servers that need API keys, use read-only or limited-scope tokens to minimize risk.
Review hook scripts before installation
Hooks run automatically. Always review the scripts in the repository to understand what they do.
Start with reviewed plugins
Plugins with the manual review badge have been vetted for quality and safety by marketplace admins.
Keep plugins updated
Plugin authors may release security updates. Check repositories for updates periodically.
Now that you understand plugin safety, learn how to build your own plugins with our creator guide.