/p Claude Code Plugin Marketplace /plugin › Discover

🔍 Search plugins, marketplaces, MCP servers… /

Discover Installed Marketplaces Errors

Talk-prep brief · Session 3 of a series

Plugins & the Marketplace

What plugins actually are, how the official + community marketplaces work, the few that earn their keep, and the trust footgun to flag in any 1–2 hour deep-dive.

survey · 10 min read 21 sources cited updated 2026-05-23 Read default view →

Tier Official · auto-shipped Community · auto-screened Third-party · caveat emptor /plugin marketplace add <name> Sorted by: editorial → stars

Verdict
for the talk

A Claude Code plugin is a packaging unit — a directory bundling any of skills, agents, slash commands, hooks, MCP servers, LSP servers — installed via /plugin from a marketplace (a marketplace.json catalog hosted on GitHub or anywhere reachable). The official Anthropic marketplace ships automatically (~101 plugins, 33 Anthropic + 68 partner as of May 2026)^[20]; the community marketplace is one /plugin marketplace add away, with submissions gated by automated safety screening^[7]. Spend ~25 min on anatomy and install flow, ~15 min on building, and ~15 min on the trust boundary — plugins execute arbitrary code with the user's privileges, and there is already a CVE history to point to^[13].

What's inside a plugin

Identified by .claude-plugin/plugin.json; component dirs go at the plugin root, NOT inside .claude-plugin/ — common landmine^[3].

⚙

Skills

skills/<name>/SKILL.md

Model-invoked capability with a YAML description Claude reads to decide when to use it^[3].

⁄

Slash commands

commands/

User-invoked /plugin-name:foo workflows^[9].

▲

Agents

agents/

Specialised sub-agent definitions invoked by the host or by other agents^[3].

⚡

Hooks

hooks/hooks.json

Event handlers — SessionStart, PreToolUse, Stop^[9].

∀

MCP servers

.mcp.json

Pre-configured external tool integrations bundled with the plugin^[9].

❮>

LSP servers

.lsp.json

Language-server bindings for real-time code intelligence after every edit^[3].

◎

Background monitors

monitors/monitors.json

tail -F-style watchers that push notifications into the session^[3].

⚙

Default settings

settings.json

Plugin-scoped defaults; only agent + subagentStatusLine honoured today^[3].

Plugins worth a slide

Don't recommend the whole shelf — pick the ones that earn their keep. Drawn from the official marketplace's dev workflows^[2] and one of the few honest reviews^[11].

/review:bugs

/review:compliance

/review:context

/review:… (5 agents)

Official 5 agents

pr-review-toolkit

★ —

by Anthropic · claude-plugins-official

Five parallel review agents — compliance, bugs, context, performance, and one more — running concurrent passes over the diff^[2].

Concrete multi-agent demo without leaving the CLI.

/plugin install pr-review-toolkit@claude-plugins-official

/plugin-dev:create-plugin

/plugin-dev:agent-creator

/plugin-dev:skill-reviewer

/plugin-dev:validator

Official meta

plugin-dev

★ —

by Anthropic · claude-plugins-official

The meta-plugin. Bundles a scaffolder, agent-creator, skill-reviewer, and validator so you can build a plugin on stage^[9].

Use it to live-build a plugin during the talk.

/plugin install plugin-dev@claude-plugins-official

! PreToolUse hook

eval / unsafe deserialize

SQL/cmd injection · XSS

⚠ blocked · review · allow

Official hook callback ↔ AI-Sec

security-guidance

★ —

by Anthropic · claude-plugins-official

PreToolUse hook that warns on injection, XSS, eval, and unsafe deserialize patterns before the tool call fires^[9].

Direct callback to session 2 (AI Security).

/plugin install security-guidance@claude-plugins-official

# bridge to your audience's

# own automation work

/agent-sdk-dev:scaffold

/agent-sdk-dev:tools-doc

Official SDK

agent-sdk-dev

★ —

by Anthropic · claude-plugins-official

Skills and agents for building with the Claude Agent SDK — scaffolders, tool-doc generators, eval harnesses^[2].

Bridge into the audience's own automation work.

/plugin install agent-sdk-dev@claude-plugins-official

// after every edit
typescript-lsp ✓
pyright-lsp    ✓
rust-analyzer ✓
→ diagnostics + go-to-def

Official single highest-leverage

typescript-lsp / pyright-lsp / rust-analyzer-lsp

★ —

by Anthropic · claude-plugins-official

Any one LSP pack gives Claude diagnostics and go-to-def after every edit. IDE-grade feedback, in-terminal^[2].

Single highest-leverage install for code work.

/plugin install typescript-lsp@claude-plugins-official

Third-party inspect first 80+ agents

wshobson/agents

★ 36k

by Seth Hobson · github

The headline community pack — 80+ specialised sub-agents, each scoped to a single concern (security review, refactor, perf, etc.)^[15].

Show how to inspect a third-party set before installing.

/plugin marketplace add wshobson/agents

Third-party CLI · templates

davila7/claude-code-templates

★ 28k

by Dan Avila · github

Templating CLI for plugins, agents, and commands — useful as a survey of what people are actually building, not just downloading^[16].

Audit the shape of the community before recommending anything.

npx claude-code-templates

Third-party heavy skill set most-starred

obra/superpowers

★ 204k

by Jesse Vincent (obra) · github

Among the most-installed third-party skill sets in the ecosystem — a curated grab-bag of SKILL.md files, agents, and slash commands^[17].

Reference for "what does scale look like on this surface?"

/plugin marketplace add obra/superpowers

Third-party directory community index

claudemarketplaces.com

170k visitors/mo

community-run discovery directory

Indexes 6,700+ skills, 2,500+ marketplaces, and 840+ MCP servers — the de-facto external catalog when /plugin isn't enough^[14].

Audience research and "what's out there" homework.

browse ↔ https://claudemarketplaces.com

Honest aside. Of 10 popular plugins tested in early 2026, only 4 were judged worth keeping — and the failures were not subtle. Treat the marketplace like npm, not the App Store^[11].

Partner integrations in the official marketplace

Worth name-dropping when you introduce the official tier. Anthropic-vetted, but still third-party code^[6].

GitHub

GitLab

Atlassian

Linear

Asana

Notion

Figma

Vercel

Firebase

Supabase

Slack

Sentry

Stripe

Playwright

Auth0

Datadog

Cloudflare

aws-* family

The three marketplace tiers

One schema, three trust contracts. The schema is published at schemastore.org/claude-code-marketplace.json^[4].

claude-plugins-official

~101plugins

auto on first launch★ 26kAnthropic-curated

33 Anthropic-built + 68 partner integrations, vetted at Anthropic's discretion — no public application process^[20].

# ships automatically

claude-plugins-community

opensubmission

manual add★ 119auto-screened

Anyone can submit via claude.ai/settings/plugins/submit. Anthropic runs automated validation and safety screening; each entry pins to a commit SHA^[7].

/plugin marketplace add anthropics/claude-plugins-community

3rd-party / private

2,500+

manual addgithub / git / URL / pathcaveat emptor

Any GitHub repo, git URL, HTTPS URL, or local path. No curation, no automated screening. Treat exactly like an npm install^[14].

/plugin marketplace add <owner/repo>

Install scopes

Maps cleanly to the standard Claude Code settings tiers. Pick the right one for the demo scenario^[2].

user

~/.claude/settings.json

Personal toolkit across all projects. The default scope.

project

.claude/settings.json · committed

Team-shared via version control. Wire extraKnownMarketplaces here so teammates get prompted to install on first folder-trust^[2].

local

.claude/settings.local.json · gitignored

"Just me, just here." Doesn't follow the repo or your other machines.

Security advisories · the bit that earns the slot

The trust boundary

A plugin executes arbitrary code on the user's machine with their user privileges, just like an npm package^[2]. Anthropic's own docs say so in a <Warning> box. The CVE history below is why session 3 follows session 2.

CVSS 8.7 Oct 2025 · patched

CVE-2025-59536

RCE via hooks / MCP config in .claude/settings.json, before the trust dialog appeared.

Check Point → research report [13]

CVSS 5.3 Jan 2026 · patched

CVE-2026-21852

API key exfiltration via ANTHROPIC_BASE_URL override — a redirect-the-endpoint attack.

Check Point → research report [13]

convention Apr 2026

"TrustFall"

Cloning + opening a hostile repo could trigger code execution before any explicit user consent. A whole-class attack, not a single bug.

Dark Reading → TrustFall write-up [19]

supply-chain Q1 2026

Marketplace dependency hijack

Malicious plugin silently reroutes pip install to an attacker-controlled mirror; behaviour persists across sessions.

SentinelOne → PoC + writeup [12]

Defensive posture · recommend on a slide

The five-line checklist

Treat plugins like dependencies — review source, pin versions, prefer official + community over arbitrary GitHub URLs^[12].
Turn on managed marketplace restrictions for orgs — admin-controlled allowlist, not user discretion^[2].
v2.1.145 lists exactly what a plugin will add before you confirm — read the "Will install" panel^[21].
Auto-update is on by default for official, off for third-party. Don't blindly flip it on for community sources^[2].
Disable auto-update with DISABLE_AUTOUPDATER=1; plugin-only updates via FORCE_AUTOUPDATE_PLUGINS=1^[2].

Plugins & the Marketplace

Editor's pick · live-demo material

commit-commands

What's inside a plugin

Plugins worth a slide

Partner integrations in the official marketplace

The three marketplace tiers

claude-plugins-official

claude-plugins-community

3rd-party / private

Install scopes

The trust boundary

The five-line checklist

Suggested session shape · 60–90 min