You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jun 21, 2026. It is now read-only.
Several plugins in the repo contain shell scripts or executable code that is downloaded and run by users. However, there's no security scanning or code signing process to verify that synced third-party plugins don't contain malicious commands (e.g., curl | bash piped to sh, exfiltration of environment variables, or cryptocurrency miners).
Given that:
Sync workflows pull code from external repos automatically
Users install these plugins into their Claude Code environment
Some plugins may have shell scripts with elevated permissions
There should be a security audit step in CI that flags:
Several plugins in the repo contain shell scripts or executable code that is downloaded and run by users. However, there's no security scanning or code signing process to verify that synced third-party plugins don't contain malicious commands (e.g.,
curl | bashpiped to sh, exfiltration of environment variables, or cryptocurrency miners).Given that:
There should be a security audit step in CI that flags:
curl,wget)$HOME,$SSH_AUTH_SOCK)$(...), backticks)This is a supply chain security concern for a plugin marketplace.