Claude Plugin Security — Auditing Claude Skills Before You Install

What Claude plugins actually are (and why the risk surface is wider than you think)

A Claude plugin — also called a Claude skill or MCP server, depending on which API surface it uses — is a local process or remote service that Claude Code (or Cursor, Windsurf, or Codex) spawns and calls via the Model Context Protocol. On the stdio transport (the default for most community plugins), the plugin process runs with the same user and environment as your terminal. It has access to your shell environment variables, your filesystem, and any network your machine can reach.

This is not a sandboxed extension system like a browser plugin model. A Claude plugin that calls process.env.GITHUB_TOKEN or fs.readFile(path.join(os.homedir(), '.ssh/id_rsa')) can do so without any additional permission prompt beyond the initial install. The install-time permission declaration (mcp_config.json) is what the client shows you during installation — and in many corpus servers, that declaration is over-broad (fs:read:*, net:*) rather than scoped to the actual minimum.

The six things SkillAudit checks on every Claude plugin

The SkillAudit rubric evaluates each plugin across six axes. In order of typical impact to a developer installing a community plugin:

1. Security. SSRF in tool handlers (fetch with LLM-controlled URL), command-exec with unsanitized args, and prompt injection via fetched content. Accounts for ~70% of F-grade findings. The LLM-assisted probe in this axis catches injection paths that static analysis misses.
2. Credential exposure. Does the plugin echo your API keys or tokens back to the model through error messages or return values? Does it have hardcoded keys in its source code or git history?
3. Permissions hygiene. Do the declared permissions in the plugin's manifest match what its tools actually use? Over-broad declarations amplify the blast radius of any vulnerability in any tool.
4. Maintenance. Is the plugin actively maintained? Does it pin its own dependencies? Does it publish semver-tagged releases with a CHANGELOG? An unmaintained plugin that ships with floating dependency ranges can pick up a supply-chain compromise on your next install.
5. Client compatibility. Does the plugin work correctly on Claude Code? Does it also work on Cursor or Windsurf if you use those? Compatibility failures are usually non-security but cause confusing silent breakage.
6. Documentation completeness. Does the README have a runnable example? Plugins without runnable examples tend to have higher rates of misconfiguration in their security posture because the author has never been forced to reproduce a clean install.

How to use a SkillAudit grade before you install

Paste the plugin's GitHub URL into the audit form. In about 60 seconds you get a grade (A through F) and a per-axis breakdown. If the plugin is already in the public corpus, the grade is there immediately.

How to read the grade in context:

• A grade: No findings across all six axes. Safe to install for typical developer use. Fewer than 1 in 5 corpus plugins hold an A.
• C grade: One-axis warning, others clean. Typically a maintenance finding (unpinned deps, no CHANGELOG) rather than a security one. Usually safe to install with awareness of the specific finding.
• D grade: Multiple findings or one finding in a high-severity axis (Security or Credentials). Read the specific finding before installing. Often fixable by the maintainer in a PR or two — consider filing an issue.
• F grade: Critical finding: SSRF, command-exec, credential echo, or over-broad permissions combined with a Security finding. Do not install on a machine with sensitive credentials in the shell environment until the finding is resolved.

For teams adopting Claude plugins, the install gate policy post shows how to wire a minimum-grade check into CI so that no new plugin install below grade C can land in the team's agent config without a named exception.

The vendor-official problem

The most counterintuitive finding in the corpus: 29 of the 42 F-grade plugins are vendor-official releases from well-known companies. The dev-rel team that wrote the demo plugin for the launch announcement is not the security team that audits the production API. A brand name does not mean a security review happened before publication.

The full list — with file paths for each finding — is in 29 vendor-official MCP servers earned an F. Before installing any plugin, regardless of who published it, check the grade.