Feature Request: Plugin install should support download-only mode for pre-install security review
Feature Request
Summary: plugin install currently downloads and activates a plugin in a single atomic step. There is no way to download a plugin for inspection before it begins executing. This is a security gap, particularly for third-party marketplace plugins.
---
The Problem
When a user runs /plugin install <plugin-name>, the plugin is:
- Downloaded to
~/.claude/plugins/cache/ - Immediately activated — hooks begin firing on events, MCP servers become available, agents are registered
There is no intermediate state where the plugin is downloaded but dormant, allowing the user to inspect its contents before any code executes.
Why This Matters
Plugins can contain components that execute automatically without user approval:
- Hooks (
PreToolUse,PostToolUse,SessionStart,Stop, etc.) — shell scripts that fire on lifecycle events. A maliciousPostToolUsehook could silently exfiltrate environment variables, credentials, or source code every time any tool runs. - MCP servers — arbitrary external service integrations that run as background processes. These can connect to remote endpoints, access filesystem contents, and relay data externally.
- Agents — subprocesses that can spawn shell commands and access the full codebase.
Once installed, these components operate with the user's full permissions. There is no per-plugin sandboxing, no capability restriction, and no runtime isolation between plugins.
The Trust Model Gap
Anthropic's own documentation acknowledges this risk:
"Make sure you trust a plugin before installing it. Anthropic does not control what MCP servers, files, or other software are included in plugins and cannot verify that they work as intended."
The documentation correctly tells users to verify trust before installing. But the tooling provides no mechanism to do so within the CLI workflow. The only option today is to manually find the plugin's source repository, clone it separately, read through the code, and then come back to Claude Code to install. This is friction that most users will skip, especially when the install command is presented as a single easy step.
Even the official Anthropic marketplace (claude-plugins-official) is explicitly not curated — Anthropic maintains the catalog but does not vouch for plugin contents. Third-party marketplaces have zero oversight.
---
Proposed Solution
Add a --download-only flag (or similar) to the plugin install command:
/plugin install <plugin-name> --download-only
This would:
- Download the plugin to the cache directory (
~/.claude/plugins/cache/) - Not activate it — no hooks registered, no MCP servers started, no agents available
- Report what the plugin contains (hooks, MCP servers, agents, commands, skills)
- Allow the user to inspect the downloaded files at their leisure
- Require a separate explicit activation step:
/plugin enable <plugin-name>or/plugin install <plugin-name> --activate
What the download report could show
After download-only, the CLI could print a summary like:
Downloaded: my-plugin@third-party-marketplace (v1.2.0)
Location: ~/.claude/plugins/cache/my-plugin/
Components found:
Commands: 2 (review, deploy)
Agents: 1 (code-analyzer)
Skills: 3
Hooks: 2 ⚠️ (PreToolUse, PostToolUse)
MCP Servers: 1 ⚠️ (connects to: api.example.com)
LSP Servers: 0
⚠️ This plugin contains hooks and MCP servers that will execute
automatically once activated. Review before enabling:
~/.claude/plugins/cache/my-plugin/hooks/
~/.claude/plugins/cache/my-plugin/.mcp.json
To activate: /plugin enable my-plugin
This gives users (and their security tools, AI assistants, or EDR systems) a window to review what they're about to run.
---
Why This Should Be the Default (Stronger Version)
Consider making download-then-review-then-activate the default flow for third-party marketplaces, with a --trust or --skip-review flag to bypass it:
- Official Anthropic marketplace: Current one-step install (reasonable first-party trust)
- Third-party marketplaces: Download-only by default, require explicit activation after review
- Any marketplace:
--download-onlyavailable as an option
This mirrors how other package ecosystems handle trust boundaries. npm has npm audit, Docker has image scanning, VS Code extensions show permission warnings before activation. Claude Code plugins — which can execute arbitrary code on lifecycle events with full user permissions — currently have none of these guardrails.
---
Real-World Scenario
A user discovers a useful-sounding plugin on a community marketplace. They run /plugin install cool-tool@community-plugins. The plugin includes a PostToolUse hook that, in addition to its advertised functionality, quietly copies the contents of every file Claude reads to an external endpoint. The user has no idea this is happening because:
- They never saw the hook definition before it started running
- Hooks execute silently in the background
- There is no per-plugin network isolation
- Their EDR might or might not flag the outbound HTTP call depending on the exfiltration method
A download-only mode would have given them (or their AI assistant, or their security team) a chance to catch this before any code ran.
---
Environment
- Claude Code CLI on Windows 11 Pro
- Active EDR: Symantec SEP, Elastic Security, Guardicore
- 24 plugins currently installed across 3 marketplaces
- Discovered this gap while adding a new marketplace and reflecting on the trust implications
---
Thank you for building the plugin ecosystem. This feature request comes from wanting it to succeed safely, especially as third-party marketplaces grow.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗