Security Vetting Process for External Claude Plugins: A Complete Technical Guide

External Claude Code plugins must undergo a mandatory three-phase security vetting pipeline—comprising submission, automated validation, and human review—before marketplace approval, with direct pull requests automatically blocked to enforce these standards.

The anthropics/claude-plugins-official repository enforces strict security protocols that prevent third-party plugins from entering the ecosystem without rigorous inspection. Unlike standard open-source workflows, this repository explicitly prohibits direct contributions through pull requests, instead requiring all external plugins to pass through a dedicated security and quality vetting pipeline designed to prevent code injection, data exfiltration, and privilege escalation attacks.

The Three-Phase Security Vetting Pipeline

External plugins progress through three distinct phases before appearing in the Claude marketplace. Each phase targets specific attack vectors and quality requirements.

Phase 1: Submission via Private Review Ticket

Plugin authors initiate the process by submitting a plugin-directory submission form, which creates a private review ticket for the Anthropic marketplace team. According to the repository's README.md, "External plugins must meet quality and security standards for approval" before any code enters the review pipeline.

This ticket-based approach ensures that sensitive security reviews occur outside the public repository, preventing potentially malicious code from being exposed in public pull requests before vetting.

Phase 2: Automated Security Validation

Once submitted, the marketplace team executes the Claude Plugin Validation suite against the plugin source. This automated suite performs multiple security-focused checks:

The validator specifically rejects plugins containing hard-coded secrets, non-HTTPS/WSS MCP server endpoints, or hook scripts with command injection vulnerabilities.

Phase 3: Human Security Review and Approval

After automated checks pass, a security engineer conducts a manual review to identify hidden risks such as indirect data exfiltration pathways and privilege escalation vectors. The reviewer validates that the plugin adheres to the principle of least privilege before merging.

Upon approval, the plugin is integrated into .claude-plugin/marketplace.json, making it installable via the /plugin install command. As documented in plugins/plugin-dev/README.md, the team maintains a "security-first approach with best practices" and requires validation of "all file writes for security."

Automated Blocking of External Pull Requests

The repository enforces a hard barrier against direct external contributions through a GitHub Actions workflow that automatically closes any pull request opened by non-members. This mechanism guarantees that only the internal vetting flow can introduce external plugins.

The workflow defined in .github/workflows/close-external-prs.yml checks author permissions and closes unauthorized PRs with a redirect to the submission form:

if: vars.DISABLE_EXTERNAL_PR_CHECK != 'true'

# … checks author permissions and closes the PR with a comment directing to the

# plugin‑directory‑submission form.

This automation ensures that no external code can bypass the mandatory security pipeline.

Submitting a Plugin for Security Review

Authors must use the official submission channel rather than GitHub pull requests. The process involves:

  1. Submit the form: Open https://clau.de/plugin-directory-submission in your browser to create a private review ticket
  2. Wait for branch creation: After initial triage, the marketplace team creates a review branch (e.g., review/<your-plugin-branch>)
  3. Local development: Clone the repository and checkout your review branch to address feedback

# Clone the official repository

git clone https://github.com/anthropics/claude-plugins-official.git
cd claude-plugins-official

# Checkout your assigned review branch

git checkout review/<your-plugin-branch>

Local Pre-Validation Before Submission

While the Anthropic team runs the full validation suite, authors can execute the same checks locally to accelerate the review process. The plugin-dev toolkit provides the identical validators used in the official pipeline.

Install the development toolkit and run the security validators:


# Install the plugin-dev toolkit

cc --plugin-dir plugins/plugin-dev

# Run the comprehensive validator agent

plugin-validator

For granular validation of specific components, execute the underlying shell scripts directly:


# Validate hook schema compliance

./plugins/plugin-dev/scripts/validate-hook-schema.sh \
  plugins/<your-plugin>/hooks/hooks.json

# Lint hook scripts for unsafe commands

./plugins/plugin-dev/scripts/hook-linter.sh \
  plugins/<your-plugin>/hooks/*.sh

The security-guidance plugin provides real-time feedback during development. When editing files in the plugin directory, the security-reminder hook automatically warns about risky patterns:


# Example warning output when secrets are detected:

# ⚠️ Potential secret found in plugins/my-plugin/.claude-plugin/plugin.json

# → Remove or replace with ${ENV_VAR}

This hook, registered in plugins/security-guidance/.claude-plugin/plugin.json, scans for command injection vectors, XSS vulnerabilities, and hard-coded credentials during the development phase.

Summary

  • Direct PRs are blocked: The close-external-prs.yml workflow automatically rejects external pull requests, enforcing the submission form workflow
  • Three-phase vetting: Submission → Automated validation → Human security review
  • Automated scanners: Front-matter validation, manifest checks, and security hooks detect hard-coded secrets, unsafe MCP URLs, and command injection risks
  • Local validation: Authors can use plugin-validator, validate-hook-schema.sh, and hook-linter.sh to pre-check their plugins
  • Human review: Security engineers validate least-privilege principles and hidden exfiltration risks before marketplace inclusion

Frequently Asked Questions

Can I submit a Claude plugin via pull request?

No. The repository explicitly blocks external pull requests through an automated GitHub Actions workflow. All submissions must use the official plugin-directory submission form at https://clau.de/plugin-directory-submission, which creates a private review ticket for the Anthropic security team.

What specific security issues does the automated validator detect?

The validation suite scans for hard-coded credentials in plugin.json files, unsecured MCP server endpoints (requiring HTTPS/WSS), unsafe hook scripts with command injection vulnerabilities, and XSS vectors. The security-guidance hook specifically flags these patterns during both local development and automated testing phases.

How does the security review ensure the principle of least privilege?

During Phase 3, security engineers manually analyze the plugin's requested permissions, file system access patterns, and network call destinations. They verify that the plugin requests only the minimum necessary privileges to function, checking for potential privilege escalation paths and indirect data exfiltration mechanisms that automated scanners might miss.

Can I test my plugin locally using the same validation tools Anthropic uses?

Yes. The plugin-dev toolkit includes the plugin-validator agent and utility scripts (validate-hook-schema.sh, hook-linter.sh) that mirror the official pipeline. Install the toolkit with cc --plugin-dir plugins/plugin-dev to run identical front-matter, manifest, and security checks before submitting your plugin for review.

Have a question about this repo?

These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:

Share the following with your agent to get started:
curl -s "https://instagit.com/install.md"

Works with
Claude Codex Cursor VS Code OpenClaw Any MCP Client

Maintain an open-source project? Get it listed too →