PlugScout helps teams discover, score, and safely install Claude plugins, Claude connectors, Copilot extensions, Skills, and MCP servers with policy-aware risk controls.
Quick links:
PlugScout is a Node.js CLI that unifies multiple AI tooling ecosystems into one searchable catalog and applies trust/risk policy before installation.
You can:
- Discover Claude plugins, Claude connectors, Copilot extensions, Skills, and MCP servers from one place.
- Score candidates using trust-first ranking.
- Enforce install gates using whitelist + quarantine policy.
- Run continuous checks in CI and scheduled workflows.
- Teams managing AI tooling catalogs across providers.
- Developers who want safe recommendations for a specific repository.
- Maintainers responsible for whitelist/quarantine governance.
- Node.js
>=18.17and npm — that's it.
No manual setup required. Run plugscout setup once and it takes care of everything else: installs required CLI dependencies, writes your config, and syncs all catalogs. You don't need to install or configure anything by hand.
Global install (recommended):
npm install -g @shnitzel/plugscout
plugscout setupplugscout setup is a single command that installs prerequisites, writes default config, and syncs all catalogs. No extra steps needed.
From source:
git clone https://github.com/amitrintzler/plugscout.git plugscout
cd plugscout
git checkout v0.3.4
npm install
npm run setupInstall newest release tag instead of pinning v0.3.4:
git checkout $(git describe --tags --abbrev=0)plugscout setup # install deps, write config, sync catalogs
plugscout scan --project . --format table # analyze your repo
plugscout recommend --project . --only-safe --limit 5 # top safe picks for your stackExpected output:
ID TYPE PROVIDER RISK BLOCKED
mcp:filesystem mcp mcp low(10) false
copilot-extension:repo-security copilot-extension github low(0) false
skill:secure-prompting skill openai low(0) false
Review any result with plugscout show --id <id>, then install with plugscout install --id <id> --yes.
npm install -g @shnitzel/plugscout
plugscout setup
plugscout scan --project . --format table
plugscout recommend --project . --only-safe --sort trust --limit 10Or from source:
npm install && npm run setup
npm run scan -- --project . --format table
npm run recommend -- --project . --only-safe --sort trust --limit 10 --detailsRun plugscout with no args to open the home screen.
Important: top and recommend are repo-aware rankings, not global popularity charts. A higher score means a better match for the current repository under the active policy, using fit + trust + freshness - security - blocked. Review each suggestion before installing, and do not install blindly from rank alone.
Installs are now review-gated: run show --id <catalog-id> or assess --id <catalog-id> before install. Use --override-review only when you intentionally want to bypass that safeguard.
For supported legacy MCP entries, PlugScout now prefers direct installers when the target is unambiguous:
- npm package targets install through
npm install -g - container targets install through
docker pull - ambiguous or binary-asset installs remain explicit/manual
PlugScout also performs a daily interactive update check against GitHub Releases and prints a download hint when a newer release is available.
Video preview/render commands are optional maintainer tooling. They are kept in devDependencies and are not required to install or run the CLI package.
Use this lifecycle for day-to-day operation:
npm run sync
npm run scan -- --project . --format table
npm run top -- --project . --limit 5
npm run recommend -- --project . --only-safe --sort trust --limit 10 --explain-scan
npm run assess -- --id mcp:filesystem
npm run install:item -- --id mcp:filesystem --yesExpected output shape (trimmed):
ID TYPE PROVIDER RISK BLOCKED
copilot-extension:actions-... copilot-extension github low(0) false
claude-plugin:repo-threat-... claude-plugin anthropic low(0) false
skill:ci-hardening skill openai low(0) false
| Command | Purpose |
|---|---|
npm run setup |
One-step setup: install prerequisites + init config + sync catalogs |
npm run about |
Show version and framework scope |
npm run init |
Create project defaults and setup local config (interactive) |
npm run doctor -- --install-deps |
Validate runtime prerequisites and bootstrap the skills CLI when missing |
npm run sync |
Refresh catalog data from configured registries |
npm run scan -- --project . --format table |
Analyze repository capabilities/archetype |
npm run top -- --project . --limit 5 |
Show top-ranked items for the current context |
npm run top -- --project . --limit 5 --details |
Explain rank math, trust/risk interpretation, and install hint per item |
npm run recommend -- --project . --only-safe --sort trust --limit 10 |
Generate policy-aware recommendations |
npm run recommend -- --project . --only-safe --sort trust --limit 10 --details |
Include per-item acceptance evidence (provenance, reasons, tradeoffs) |
npm run assess -- --id <catalog-id> |
Evaluate risk for one candidate before install |
npm run install:item -- --id <catalog-id> --yes --install-deps |
Install a candidate if policy allows and bootstrap supported install deps when requested |
npm run status -- --verbose |
Report catalog health, staleness, and policy status |
node dist/cli.js web --open |
Generate readable HTML report with score legend and decision cards |
Packaged CLI-only commands:
plugscout setup(first-time setup: prerequisites + config + sync in one step)plugscout(home screen)plugscout upgrade checkplugscout web --open(readable browser report)plugscout <command> --no-update-check(skip daily auto-check for the current run)
Full command reference: docs/cli-reference.md
PlugScout blocks high-risk and critical installs by default.
| Tier | Score | Default install policy |
|---|---|---|
| low | 0-24 | allow |
| medium | 25-49 | allow with warning |
| high | 50-74 | block |
| critical | 75-100 | block |
Risk score meaning:
0is lowest observed risk signal.100is highest risk signal.- Higher score means higher risk and stronger install gating.
Whitelist and quarantine state are enforced in recommendation and install flows, and can be continuously maintained with daily verification/quarantine automation.
Security deep-dive: docs/security/README.md
- Claude plugins:
https://claude.com/plugins(scraped with sanitization + host allowlist guards) - Claude connectors:
https://claude.com/connectors(scraped with sanitization + host allowlist guards) - Anthropic GitHub plugin manifests:
anthropics/claude-plugins-official,anthropics/knowledge-work-plugins,anthropics/financial-services-plugins - GitHub skills marketplaces:
numman-ali/n-skills,mhattingpete/claude-skills-marketplace,neondatabase-labs/ai-rules - GitHub Claude Code plugin marketplaces:
docker/claude-plugins,pleaseai/claude-code-plugins - Copilot plugins (official):
https://raw.githubusercontent.com/github/copilot-plugins/main/.github/plugin/marketplace.json - Copilot plugins (curated):
https://raw.githubusercontent.com/github/awesome-copilot/main/.github/plugin/marketplace.json
Legacy endpoints returning 404 are not used for sync anymore:
https://api.anthropic.com/v1/plugins/cataloghttps://api.github.com/copilot/extensions/catalog
- Architecture:
docs/architecture.md - CLI Reference:
docs/cli-reference.md - Security:
docs/security/README.md - CI Quarantine Automation:
docs/ci/daily-quarantine.md - End-to-End Use Cases:
docs/use-cases.md - Configuration and Data Reference:
docs/reference.md - Functionality Validation Matrix:
docs/validation-functionality.md
- Follow repository standards in
AGENTS.md. - Run checks before opening a PR:
npm run lint
npm run test
npm run build- Open an issue in the repository for bugs or feature requests.
- Include command, input, and output snippets when reporting failures.
MIT. Copyright (c) 2026 Amit Rintzler. Reuse is allowed, but redistributed copies must keep the copyright and license notice.