Can it scan remote repositories?

Yes, it can scan GitHub repositories by owner/repo name or URL before you decide to install them, allowing for safe evaluation of third-party tools.

Does it block benign code by mistake?

The skill uses context evaluation to distinguish between safe uses (such as educational vulnerability examples) and actual malicious intent (like unauthorized data access).

What file types does it analyze?

The scanner analyzes Markdown instructions, Shell scripts, JavaScript/TypeScript code, YAML/JSON configurations, and .mcp.json server settings.

When should I use this skill?

You should use it whenever you are installing a new plugin, auditing external skills, or performing a general safety check on your local project configuration.

What does the Plugin Security Scanner do?

It audits Claude Code plugins and skills for malicious code, dangerous shell commands, and deceptive instructions to ensure your development environment remains secure.

Claude Plugin Security Scanner

Name: Claude Plugin Security Scanner
Author: thkt

bythkt

•

Security & Testing

Scans Claude Code plugins and skills for malicious code or deceptive instructions before installation or execution.

The Scanning Plugins skill provides an essential security layer for Claude Code by auditing third-party plugins, local skills, and GitHub repositories for potential threats. It intelligently distinguishes between legitimate code use and malicious intent, such as unauthorized credential access or dangerous shell command execution. By analyzing a wide range of file formats—including Markdown instructions, shell scripts, and MCP configurations—it ensures that any custom capability added to your environment meets safety standards and protects your system from malicious actors.

Key Features

01Distinguishes between educational vulnerability examples and actual malicious intent

02Scans local plugin caches and project-specific Claude configurations for vulnerabilities

03Supports multi-file format scanning including JavaScript, TypeScript, Shell scripts, and Markdown

04Audits remote GitHub repositories for security risks before installation

053 GitHub stars

06Analyzes MCP server configurations for dangerous arguments or environment variables

Use Cases

01Performing a routine safety scan of all installed skills in the local directory

02Running a security check on a project's .claude configuration to ensure no hidden malicious instructions exist

03Auditing a third-party Claude plugin from GitHub before adding it to your local environment

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add thkt/claude-config scanning-plugins

For use in Claude.ai and ChatGPT

Download Skill