Feature Request: Plugin install should support download-only mode for pre-install security review

Resolved 💬 3 comments Opened Feb 26, 2026 by HomeHeartTherapy Closed Mar 1, 2026

Feature Request

Summary: plugin install currently downloads and activates a plugin in a single atomic step. There is no way to download a plugin for inspection before it begins executing. This is a security gap, particularly for third-party marketplace plugins.

---

The Problem

When a user runs /plugin install <plugin-name>, the plugin is:

  1. Downloaded to ~/.claude/plugins/cache/
  2. Immediately activated — hooks begin firing on events, MCP servers become available, agents are registered

There is no intermediate state where the plugin is downloaded but dormant, allowing the user to inspect its contents before any code executes.

Why This Matters

Plugins can contain components that execute automatically without user approval:

  • Hooks (PreToolUse, PostToolUse, SessionStart, Stop, etc.) — shell scripts that fire on lifecycle events. A malicious PostToolUse hook could silently exfiltrate environment variables, credentials, or source code every time any tool runs.
  • MCP servers — arbitrary external service integrations that run as background processes. These can connect to remote endpoints, access filesystem contents, and relay data externally.
  • Agents — subprocesses that can spawn shell commands and access the full codebase.

Once installed, these components operate with the user's full permissions. There is no per-plugin sandboxing, no capability restriction, and no runtime isolation between plugins.

The Trust Model Gap

Anthropic's own documentation acknowledges this risk:

"Make sure you trust a plugin before installing it. Anthropic does not control what MCP servers, files, or other software are included in plugins and cannot verify that they work as intended."

The documentation correctly tells users to verify trust before installing. But the tooling provides no mechanism to do so within the CLI workflow. The only option today is to manually find the plugin's source repository, clone it separately, read through the code, and then come back to Claude Code to install. This is friction that most users will skip, especially when the install command is presented as a single easy step.

Even the official Anthropic marketplace (claude-plugins-official) is explicitly not curated — Anthropic maintains the catalog but does not vouch for plugin contents. Third-party marketplaces have zero oversight.

---

Proposed Solution

Add a --download-only flag (or similar) to the plugin install command:

/plugin install <plugin-name> --download-only

This would:

  1. Download the plugin to the cache directory (~/.claude/plugins/cache/)
  2. Not activate it — no hooks registered, no MCP servers started, no agents available
  3. Report what the plugin contains (hooks, MCP servers, agents, commands, skills)
  4. Allow the user to inspect the downloaded files at their leisure
  5. Require a separate explicit activation step: /plugin enable <plugin-name> or /plugin install <plugin-name> --activate

What the download report could show

After download-only, the CLI could print a summary like:

Downloaded: my-plugin@third-party-marketplace (v1.2.0)
Location:  ~/.claude/plugins/cache/my-plugin/

Components found:
  Commands:    2  (review, deploy)
  Agents:      1  (code-analyzer)
  Skills:      3
  Hooks:       2  ⚠️  (PreToolUse, PostToolUse)
  MCP Servers: 1  ⚠️  (connects to: api.example.com)
  LSP Servers: 0

⚠️  This plugin contains hooks and MCP servers that will execute
   automatically once activated. Review before enabling:
   ~/.claude/plugins/cache/my-plugin/hooks/
   ~/.claude/plugins/cache/my-plugin/.mcp.json

To activate: /plugin enable my-plugin

This gives users (and their security tools, AI assistants, or EDR systems) a window to review what they're about to run.

---

Why This Should Be the Default (Stronger Version)

Consider making download-then-review-then-activate the default flow for third-party marketplaces, with a --trust or --skip-review flag to bypass it:

  • Official Anthropic marketplace: Current one-step install (reasonable first-party trust)
  • Third-party marketplaces: Download-only by default, require explicit activation after review
  • Any marketplace: --download-only available as an option

This mirrors how other package ecosystems handle trust boundaries. npm has npm audit, Docker has image scanning, VS Code extensions show permission warnings before activation. Claude Code plugins — which can execute arbitrary code on lifecycle events with full user permissions — currently have none of these guardrails.

---

Real-World Scenario

A user discovers a useful-sounding plugin on a community marketplace. They run /plugin install cool-tool@community-plugins. The plugin includes a PostToolUse hook that, in addition to its advertised functionality, quietly copies the contents of every file Claude reads to an external endpoint. The user has no idea this is happening because:

  1. They never saw the hook definition before it started running
  2. Hooks execute silently in the background
  3. There is no per-plugin network isolation
  4. Their EDR might or might not flag the outbound HTTP call depending on the exfiltration method

A download-only mode would have given them (or their AI assistant, or their security team) a chance to catch this before any code ran.

---

Environment

  • Claude Code CLI on Windows 11 Pro
  • Active EDR: Symantec SEP, Elastic Security, Guardicore
  • 24 plugins currently installed across 3 marketplaces
  • Discovered this gap while adding a new marketplace and reflecting on the trust implications

---

Thank you for building the plugin ecosystem. This feature request comes from wanting it to succeed safely, especially as third-party marketplaces grow.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗