Remote OpenClaw
Menu

security-guidance

claude-plugins-official

securityClaude Codeby Anthropic

Summary

Security review for Claude-generated code. Pattern-based warnings on edits, LLM-powered diff review on Stop, and an agentic commit reviewer that catches injection, XSS, SSRF, hardcoded secrets, and 25+ other vulnerability classes.

Install to Claude Code

/plugin install security-guidance@claude-plugins-official

Run in Claude Code. Add the marketplace first with /plugin marketplace add anthropics/claude-plugins-official if you haven't already.

README.md

Claude Code Plugins Directory

A curated directory of high-quality plugins for Claude Code.

> ⚠️ Important: Make sure you trust a plugin before installing, updating, or using it. Anthropic does not control what MCP servers, files, or other software are included in plugins and cannot verify that they will work as intended or that they won't change. See each plugin's homepage for more information.

Structure

  • /plugins - Internal plugins developed and maintained by Anthropic
  • /external_plugins - Third-party plugins from partners and the community

Installation

Plugins can be installed directly from this marketplace via Claude Code's plugin system.

To install, run /plugin install {plugin-name}@claude-plugins-official

or browse for the plugin in /plugin > Discover

Contributing

Internal Plugins

Internal plugins are developed by Anthropic team members. See /plugins/example-plugin for a reference implementation.

External Plugins

Third-party partners can submit plugins for inclusion in the marketplace. External plugins must meet quality and security standards for approval. To submit a new plugin, use the plugin directory submission form.

Plugin Structure

Each plugin follows a standard structure:

plugin-name/
├── .claude-plugin/
│   └── plugin.json      # Plugin metadata (required)
├── .mcp.json            # MCP server configuration (optional)
├── commands/            # Slash commands (optional)
├── agents/              # Agent definitions (optional)
├── skills/              # Skill definitions (optional)
└── README.md            # Documentation

Skill-bundle plugins

When a plugin's source repository ships skills (SKILL.md files) without a .claude-plugin/plugin.json manifest, the marketplace entry can declare the skills directly using strict: false and an explicit skills array.

{
  "name": "example-bundle",
  "description": "Brief description of the bundled skills.",
  "author": { "name": "Author Name" },
  "category": "development",
  "source": {
    "source": "git-subdir",
    "url": "https://github.com/example-org/sdk.git",
    "path": "packages/agent-skills",
    "ref": "main",
    "sha": "<commit sha>"
  },
  "strict": false,
  "skills": [
    "./skill-a",
    "./skill-b",
    "./skill-c"
  ],
  "homepage": "https://github.com/example-org/sdk"
}

Each path in skills is relative to source.path and points at a directory containing a SKILL.md. Paths can reach deeper than a single level — for example, ["./libA/skill-1", "./libB/skill-2"] exposes a curated subset across multiple library subdirectories. Each skill is registered as <plugin-name>:<skill-name> in Claude Code.

For the underlying schema, see Strict mode in the marketplace documentation.

License

Please see each linked plugin for the relevant LICENSE file.

Documentation

For more information on developing Claude Code plugins, see the official documentation.

Related plugins

Browse all →

42crunch-api-security-testing

claude-plugins-official

Automate API security directly in Claude Code with 42Crunch - automatically audit OpenAPI specs, detect vulnerabilities aligned with OWASP API Security risks (including BOLA/BFLA), and apply AI-powered fixes. Designed for AI-assisted development workflows, it provides continuous guardrails through an audit->scan->remediate->validate loop, ensuring APIs meet enterprise security standards before deployment.

Open plugin →

auth0

claude-plugins-official

Enterprise-grade auth, easy to implement. Add login, SSO, MFA, and access control to any app with framework-aware guidance.

Open plugin →

crowdstrike-falcon-foundry

claude-plugins-official

CrowdStrike Falcon Foundry development skills for building cybersecurity applications on the Falcon platform. Includes UI development, collections, functions, workflows, API integration, security patterns, and debugging workflows.

Open plugin →

duende-skills

claude-plugins-official

Duende development skills and agents for Claude Code — covering OAuth/OIDC protocols, IdentityServer, token management, ASP.NET Core authentication/authorization, BFF patterns, and secure identity architecture

Open plugin →

jfrog

claude-plugins-official

Use the JFrog Platform from Claude Code: Artifactory repos and artifacts, security findings and exposures, Catalog package safety and downloads, workflows across the SDLC, and platform administration.

Open plugin →

semgrep

claude-plugins-official

Semgrep catches security vulnerabilities in real-time and guides Claude to write secure code from the start.

Open plugin →

Browse

Plugins by category

Other2041development375productivity237communication49design47security46database40workflow30compliance28product24data22bundle21