A Claude Code plugin that automatically checks whether a package is secure before Claude installs it. If the package is clean, installation proceeds. If it has known vulnerabilities or a poor security health score, Claude shows a warning and asks you first.
- Known vulnerabilities via OSV.dev — authoritative CVE/GHSA data for the exact version
- Project health via OpenSSF Scorecard (through deps.dev) — a 0–10 score covering code review, maintenance, branch protection, and more
Both APIs are free and require no API key. Supports npm (default), PyPI, Go, Maven, NuGet, RubyGems, and crates.io.
/plugin marketplace add Praashh/claude-security-plugin
/plugin install package-security-check@claude-security-plugin
Nothing to do — it triggers automatically. Try:
- "Install lodash 4.17.20" → warns about the known prototype pollution vulnerability and asks before installing
- "Add express to my project" → checks, reports clean, installs
- "Is the moment package safe?" → runs a security check directly
You can also run the check manually:
python3 skills/package-security-check/scripts/check_package.py lodash 4.17.20Exit codes: 0 = secure, 1 = warning, 2 = check failed.
Detects known vulnerabilities and weak project health. It does not detect zero-day malware or guarantee a package is safe — pair it with npm audit and your own judgment for critical projects.
MIT