plugin-creation
Facilitates the creation of Claude Code plugins, covering skills, commands, and configuration for enhanced functionality.
Install this skill
or
5/100
Security score
The plugin-creation skill was audited on May 21, 2026 and we found 7 security issues across 2 threat categories, including 6 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
high line 153
Template literal with variable interpolation in command context
SourceSKILL.md
| 153 | - `Setup` - one-time `--init-only` / `--init -p` / `--maintenance -p` preparation. **Distinct from `SessionStart`**: Setup does NOT fire on every launch, so a plugin that needs a dependency installed |
high line 168
Template literal with variable interpolation in command context
SourceSKILL.md
| 168 | **Exec form vs shell form** (v2.1.139+): Command hooks run in **exec form** when `args` is set — `command` resolves as an executable and is spawned directly with each `args` element passed as one argu |
high line 183
Template literal with variable interpolation in command context
SourceSKILL.md
| 183 | **Session-remembrance pattern**: For plugins that maintain per-project state, `/plugin-creation-tools:add-component remembrance-hooks` scaffolds a `SessionStart` + `SessionEnd` hook pair (plus the ins |
high line 212
Template literal with variable interpolation in command context
SourceSKILL.md
| 212 | - `${CLAUDE_PLUGIN_ROOT}` - plugin installation directory |
high line 213
Template literal with variable interpolation in command context
SourceSKILL.md
| 213 | - `${CLAUDE_PROJECT_DIR}` - project root |
high line 214
Template literal with variable interpolation in command context
SourceSKILL.md
| 214 | - `${CLAUDE_ENV_FILE}` - persistent env vars (SessionStart only) |
medium line 174
Webhook reference - potential data exfiltration
SourceSKILL.md
| 174 | - `http` — POST event JSON to a webhook (settings.json only). Use for external services. |
Scanned on May 21, 2026
View Security Dashboard