[FEATURE] plugin install --config: support reading values from stdin to keep secrets out of process argv

Open 💬 0 comments Opened Jul 14, 2026 by ilyoung

Feature request

claude plugin install --config <key=value> is currently the only non-interactive way to set a plugin's userConfig value. For fields declared "sensitive": true (API tokens etc.), this forces the secret into the process argument list:

claude plugin install my-plugin@my-marketplace --config api_token="$TOKEN"

While the install runs, the fully-expanded secret is visible in ps aux / /proc/<pid>/cmdline to other processes, and — more importantly — EDR/audit tooling on managed machines commonly collects and durably retains process command lines, turning a transient exposure into a searchable plaintext record in central security logs.

Use case

Plugin setup skills where the agent registers a token on the user's behalf (e.g. read from the clipboard via pbpaste) so the token never enters the chat transcript. The interactive /plugin configure dialog avoids argv but cannot be driven by the agent; --config is agent-drivable but leaks via argv. There is currently no path that is both non-interactive and argv-free.

Proposal

Support reading a config value from stdin, e.g.:

pbpaste | claude plugin install my-plugin@my-marketplace --config api_token=@-
# or
pbpaste | claude plugin install my-plugin@my-marketplace --config-stdin api_token

Precedent: docker login --password-stdin (docker warns on --password for exactly this reason), gh auth login --with-token.

A file-reference form (--config api_token=@/path) would also work but stdin is the safer primitive (no cleanup needed).

Environment

  • Claude Code 2.1.208, macOS (darwin 25.5.0)
  • Observed while building a plugin whose setup skill registers a Slack user token via plugin install --config

🤖 Generated with Claude Code

View original on GitHub ↗