Lesson 1213 lessons

Plugins and Marketplaces — Installing Skills Safely

A plugin bundles skills, agents, hooks, and MCP servers together

A "plugin" for Claude Code is a packaged bundle that can include skills, custom slash commands, automated hooks, and MCP server connections — installed as one unit rather than configuring each piece separately. A "marketplace" is a catalog of plugins someone has published for others to discover and install.

The two-step process: add the marketplace, then install

Adding a marketplace (/plugin marketplace add owner/repo) just registers a catalog you can browse — nothing is installed yet. You then install a specific plugin from it (/plugin install plugin-name@marketplace-name). This two-step split means browsing a catalog never runs any code by itself.

Safety rules before installing any third-party plugin

Plugins and marketplaces can execute code on your machine with your own permissions — the same trust level as running any other program. Before installing: check the plugin's homepage/README, look at who publishes it, and review what MCP servers, hooks, or file access it declares. Anthropic's official marketplace is curated, but third-party and community plugins are not verified to work as claimed — only install from sources you trust.

Key Takeaways

  • A plugin bundles skills, commands, hooks, and MCP servers into one installable unit.
  • Adding a marketplace only registers a catalog to browse — nothing installs until you explicitly choose a plugin.
  • `/plugin marketplace add owner/repo` then `/plugin install plugin-name@marketplace-name` is the two-step flow.
  • Plugins run code with your own permissions — always check the source and README before installing anything third-party.

Read a plugin's declared permissions

Visit github.com/anthropics/claude-plugins-official and open any one plugin's folder. Find its README and note what it says the plugin does before you'd ever consider installing it.