CC Plugin
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running cleanup can remove cached plugin versions or temp cache directories, which may require reinstalling or resyncing plugins if the wrong content is removed.
The helper script deletes old cached plugin version directories under the Claude plugin cache. This is disclosed and scoped, but it is still destructive if run without review.
CACHE_DIR="${HOME}/.claude/plugins/cache" ... rm -rf "$old_dir"Run the cleanup script with --dry-run and --verbose first, confirm the target cache path, and keep backups if cached plugin versions matter.
A marketplace repository can change what plugins, skills, hooks, or scripts are available to Claude Code after update.
The marketplace workflow clones and updates external git repositories. That is expected for marketplace management, but the instructions do not add pinning, signature checks, or source verification.
git clone <url> ~/.claude/plugins/marketplaces/<repo-name> ... git -C "$dir" pull
Use trusted marketplace URLs, review remotes and diffs before pulling updates, and avoid bulk-updating unknown marketplaces.
If run inside an untrusted plugin, the npm commands could execute local code as the current user.
The troubleshooting guide tells users to install dependencies and run a build inside a cached plugin. This is expected for HUD plugins, but npm install/build steps can execute code from that plugin or its dependencies.
cd ~/.claude/plugins/cache/<marketplace>/<plugin>/<version> npm install && npm run build
Only run npm install/build for trusted plugins, inspect package.json and lockfiles when possible, and avoid building plugins from unknown repositories.
A bad or unintended marketplace file could persist into later Claude Code sessions until removed from the cache.
The troubleshooting flow copies plugin components, including agents, hooks, scripts, skills, and MCP config, into the runtime cache loaded at session start.
for item in .claude-plugin .mcp.json agents CLAUDE.md dist hooks scripts skills; do [ -e "$MARKET/$item" ] && cp -r "$MARKET/$item" "$CACHE/" done
Copy only needed files from trusted marketplaces, review plugin components before restarting Claude Code, and remove the cached plugin if unexpected behavior appears.