Plugins are code. This document covers the threat model, review guidelines, and safe usage practices for the Outfitter marketplace.
Claude Code plugins can:
- Read and write files in your project
- Execute shell commands
- Make network requests (via MCP servers)
- Access environment variables
- Invoke other tools and agents
This makes plugins a potential supply chain attack vector. Only install plugins you trust.
Each plugin documents its capabilities in its README. Summary:
| Plugin | Filesystem | Shell | Network | MCP |
|---|---|---|---|---|
| baselayer | read | no | no | no |
| gitbutler | read | yes (git/but commands) | no | no |
| agent-kit | read/write | yes (scaffolding) | no | no |
| cli-dev | read | no | no | no |
Capability definitions:
- Filesystem read: Reads files to understand context
- Filesystem write: Creates or modifies files
- Shell: Executes terminal commands
- Network: Makes HTTP requests or connects to external services
- MCP: Connects to MCP servers for extended capabilities
Before installing a plugin, review:
- Source: Is it from a known maintainer? Check the
authorfield in plugin.json - Scripts: Does it include executable scripts? Review them for unexpected behavior
- Capabilities: What can it access? Check the capabilities section in the plugin README
- Changes: When updating, review the diff for new capabilities or scripts
Red flags in plugin code:
- Hardcoded URLs or IP addresses
- Base64 encoded strings
eval()or dynamic code execution- Unexpected network calls
- File operations outside project directory
- Environment variable access beyond documented needs
# Add marketplace
/plugin marketplace add outfitter-dev/agents
# Review plugin before installing
# Check the plugin's README and source code
# Install specific plugin
/plugin install baselayer@outfitterWhen updating plugins:
- Check the changelog or commit history for changes
- Review any new scripts or capabilities
- Test in a non-critical project first if uncertain
Found a security issue? Please report it:
- Email: team@outfitter.dev
- GitHub: Open a private security advisory at https://github.com/outfitter-dev/agents/security
If contributing plugins to this marketplace:
- Minimize capabilities: Only request what you need
- Document everything: List all capabilities in your README
- No auto-execution: Scripts should be explicitly invoked, not auto-run
- Prefer instructions: Use markdown-based skills over executable scripts when possible
- Pin dependencies: If your scripts have dependencies, pin versions
Run the marketplace validation script to check plugin structure:
bun run shared/scripts/validate-marketplace.tsThis validates:
- Marketplace JSON schema
- Plugin metadata completeness
- Required skill fields
- File structure conventions