NEW: Claude Code Security — research preview

Plugins

Package and distribute skills, agents, and hooks as shareable bundles

NEWRead time: 6 min

title: "Plugins" description: "Package and distribute skills, agents, and hooks as shareable bundles" section: "Core" readTime: "6 min" badge: "NEW"

Plugins

Plugins bundle skills, custom agents, hooks, and MCP servers into a single installable package. Share them with your team, publish them for your organization, or install enterprise-managed plugins from IT/DevOps.

What a Plugin Contains

my-plugin/
├── package.json           # Plugin manifest
├── skills/
│   ├── deploy/
│   │   └── SKILL.md
│   └── code-review/
│       └── SKILL.md
├── agents/
│   └── security-reviewer.md
└── hooks/
    └── settings.json

Skills from a plugin use a namespaced command: /plugin-name:skill-name. This prevents conflicts with project or personal skills of the same name.

Install a Plugin

# From npm
claude plugin add @acme/claude-skills
 
# From a local path (team development)
claude plugin add ./internal-plugins/dev-tools
 
# List installed plugins
claude plugin list
 
# Remove
claude plugin remove @acme/claude-skills

Create a Plugin

1. Initialize

mkdir my-claude-plugin && cd my-claude-plugin
npm init -y

2. Add manifest fields to package.json

{
  "name": "@acme/claude-skills",
  "version": "1.0.0",
  "description": "ACME internal Claude Code skills",
  "claude-plugin": {
    "skills": "skills/",
    "agents": "agents/",
    "hooks": "hooks/settings.json"
  }
}

3. Add skills

mkdir -p skills/deploy
cat > skills/deploy/SKILL.md << 'EOF'
---
name: deploy
description: Deploy the application to production
disable-model-invocation: true
allowed-tools: Bash(./scripts/deploy.sh *)
---
 
Run the deployment pipeline:
1. Run tests: `./scripts/test.sh`
2. Build: `./scripts/build.sh`
3. Deploy: `./scripts/deploy.sh $ARGUMENTS`
4. Verify: check health endpoint
EOF

4. Publish

npm publish --access public

Enterprise-Managed Plugins

IT/DevOps can distribute plugins to all developers via managed settings. Developers cannot remove or override managed plugins.

Managed plugins are configured in the organization's managed settings file:

{
  "plugins": [
    "@acme/security-standards",
    "@acme/deployment-tools"
  ]
}

This ensures every developer has the same security hooks, company coding standards, and deployment workflows — without each person installing them manually.

Enterprise-managed plugins for GitHub Copilot CLI are in public preview as of May 2026.

Plugin Skill Namespace

Plugin skills appear in the / menu as plugin-name:skill-name. You can invoke them directly:

/acme-tools:deploy staging
/acme-tools:code-review src/api/

skillOverrides does not apply to plugin skills. Manage them via /plugin instead.

Scope Priority

When skills share the same name across levels, this is the resolution order:

  1. Enterprise managed (always wins)
  2. Personal (~/.claude/skills/)
  3. Project (.claude/skills/)
  4. Plugin (namespaced, so no conflict)

Related

  • Skills — The skills system plugins extend
  • Subagents — Custom agents distributed via plugins
  • Hooks — Hook configurations bundled in plugins