Configuration and Data Reference

Configuration Files

File	Purpose
`config/registries.json`	Source registries and adapter mapping
`config/providers.json`	Provider policy (enabled, official-only, auth env, polling)
`config/security-policy.json`	Scoring weights and install gates
`config/ranking-policy.json`	Ranking weights, penalties, and tiebreaks
`.skills-mcps.json`	Optional local project defaults generated by `init` (kinds, providers, risk posture)

Runtime State

TOOLKIT_HOME (optional): overrides the writable runtime state root.
Default runtime state root: ~/.plugscout.
State files created under this root include:
- data/catalog/items.json
- data/catalog/sync-state.json
- data/whitelist/approved.json
- data/quarantine/quarantined.json
- data/security-reports/**
- data/system/update-check.json
Default web report output (when using plugscout web): .plugscout/report.html in current working directory.
Set TOOLKIT_DISABLE_UPDATE_CHECK=1 to disable automatic daily update checks.
Local riskPosture behavior:
- balanced: standard list/recommend behavior.
- strict: list/recommend default to safe-only output unless explicitly filtered.

Remote Registry Fields

remote.url
remote.format
remote.entryPath
remote.supportsUpdatedSince
remote.updatedSinceParam
remote.pagination
remote.authEnv
remote.fallbackToLocal

Current plugin source-of-truth configuration:

Claude plugins scrape: https://claude.com/plugins
Claude connectors scrape: https://claude.com/connectors
Anthropic GitHub plugin manifests: https://raw.githubusercontent.com/anthropics/claude-plugins-official/main/.claude-plugin/marketplace.json, https://raw.githubusercontent.com/anthropics/knowledge-work-plugins/main/.claude-plugin/marketplace.json, https://raw.githubusercontent.com/anthropics/financial-services-plugins/main/.claude-plugin/marketplace.json
GitHub skills marketplaces: https://raw.githubusercontent.com/numman-ali/n-skills/main/.claude-plugin/marketplace.json, https://raw.githubusercontent.com/mhattingpete/claude-skills-marketplace/main/.claude-plugin/marketplace.json, https://raw.githubusercontent.com/neondatabase-labs/ai-rules/main/.claude-plugin/marketplace.json
GitHub Claude Code plugin marketplaces: https://raw.githubusercontent.com/docker/claude-plugins/main/.claude-plugin/marketplace.json, https://raw.githubusercontent.com/pleaseai/claude-code-plugins/main/.claude-plugin/marketplace.json
Copilot marketplace (official): https://raw.githubusercontent.com/github/copilot-plugins/main/.github/plugin/marketplace.json
Copilot marketplace (curated): https://raw.githubusercontent.com/github/awesome-copilot/main/.github/plugin/marketplace.json

Dead endpoints intentionally removed from active sync:

https://api.anthropic.com/v1/plugins/catalog
https://api.github.com/copilot/extensions/catalog

Supported remote.format values:

json-array
catalog-json
html

Safety controls for plugin/connector/MCP remotes:

HTTPS-only endpoints.
Host allowlist for plugin/MCP sync: claude.com, www.anthropic.com, raw.githubusercontent.com, github.com, registry.modelcontextprotocol.io.
On remote failure, local fallback entries or last synced state remain in place.

Data Contracts

Primary runtime contracts are validated with Zod:

CatalogItem
RiskAssessment
Recommendation
InstallAudit

Catalog metadata fields used by ranking/UX include:

metadata.catalogType (plugin, connector, standard)
metadata.sourceRepo
metadata.sourcePage
metadata.scrapedAt
metadata.sourceConfidence (official, vetted-curated, scraped)
metadata.sourceType (vendor-feed, public-index, community-list)

CI and Security Workflows

.github/workflows/ci.yml
.github/workflows/security-codeql.yml
.github/workflows/security-dependency-review.yml
.github/workflows/security-secrets.yml
.github/workflows/security-sbom-trivy.yml
.github/workflows/daily-security.yml
.github/workflows/catalog-sync.yml

Backward Compatibility

Legacy ingestion scripts remain available:

npm run ingest:skills
npm run ingest:mcps
npm run ingest:claude-plugins
npm run ingest:copilot-extensions
npm run ingest:all

Validation compatibility script:

npm run validate:data

Publish Checklist

npm run lint
npm run test
npm run build
npm run doctor
npm run verify:claims
npm run smoke:pack
npm run prepush:local

Release readiness checks:

Confirm required checks are green on main.
Confirm docs links and command snippets are up to date.
Confirm policy files and quarantine artifacts are reviewed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Configuration and Data Reference

Configuration Files

Runtime State

Remote Registry Fields

Data Contracts

CI and Security Workflows

Backward Compatibility

Publish Checklist

FilesExpand file tree

reference.md

Latest commit

History

reference.md

File metadata and controls

Configuration and Data Reference

Configuration Files

Runtime State

Remote Registry Fields

Data Contracts

CI and Security Workflows

Backward Compatibility

Publish Checklist