Can I scan plugins directly from GitHub?

Yes, the skill supports scanning via GitHub repository URLs or 'owner/repo' identifiers to audit code before you clone or install it.

Does this skill protect against MCP server vulnerabilities?

Yes, it specifically audits .mcp.json files to check for suspicious commands, arguments, and environment variables that could compromise your system.

How does it distinguish between security tools and actual threats?

The skill uses context evaluation to differentiate between legitimate use cases, like vulnerability examples in documentation, and actual malicious execution patterns.

What files does the Plugin Security Scanner analyze?

It scans Markdown instructions, shell scripts, JavaScript/TypeScript code, YAML/JSON configurations, and MCP server settings for potential threats.

Plugin Security Scanner

Name: Plugin Security Scanner
Author: thkt

bythkt

•

安全与测试

Scans Claude Code plugins and skills to detect malicious code, deceptive instructions, and unauthorized credential access.

The Plugin Security Scanner is a critical safety tool designed to protect your development environment by auditing third-party Claude Code plugins and skills. It performs deep analysis on local directories and GitHub repositories, scanning diverse file types including shell scripts, JavaScript, and Model Context Protocol (MCP) configurations. By distinguishing between legitimate educational content and malicious execution patterns, this skill ensures that external integrations are safe to use before they are ever installed or executed.

主要功能

01Deep scan of GitHub repositories and local plugin directories

02Multi-format analysis of JS, TS, Shell, YAML, and Markdown files

03MCP server configuration auditing for dangerous commands and env vars

04Heuristic detection for deceptive instructions and malicious hooks

05Context-aware evaluation to reduce false positives in security docs

063 GitHub stars

使用场景

01Auditing a third-party Claude skill from a public repository before installation

02Verifying the security of locally cached plugins in the .claude directory

03Identifying unauthorized credential access patterns in external skill configurations

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add thkt/claude-config scanning-plugins

For use in Claude.ai and ChatGPT

Download Skill