npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@shnitzel/plugscout

v0.3.4

Published

Claude plugins + Claude connectors + Copilot extensions + Skills + MCP security intelligence framework

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

gameofoptionsgameofoptions

Keywords

cliskillsmcpclaude-plugincopilot-extensionsecurityrecommendation

Readme

PlugScout helps teams discover, score, and safely install Claude plugins, Claude connectors, Copilot extensions, Skills, and MCP servers with policy-aware risk controls.

Developed by Amit Rintzler.

License: MIT. Copyright (c) 2026 Amit Rintzler. Reuse is allowed, but redistributed copies must keep the copyright and license notice.

Quick links:

What is PlugScout?

PlugScout is a Node.js CLI that unifies multiple AI tooling ecosystems into one searchable catalog and applies trust/risk policy before installation.

You can:

  • Discover Claude plugins, Claude connectors, Copilot extensions, Skills, and MCP servers from one place.
  • Score candidates using trust-first ranking.
  • Enforce install gates using whitelist + quarantine policy.
  • Run continuous checks in CI and scheduled workflows.

Who this is for

  • Teams managing AI tooling catalogs across providers.
  • Developers who want safe recommendations for a specific repository.
  • Maintainers responsible for whitelist/quarantine governance.

Prerequisites

  • Node.js >=18.17
  • npm
  • skills CLI or npx for modern skill installs
  • skill.sh is optional and only needed for some legacy skill.sh-style installs

Install PlugScout (v0.3.4)

Global install (recommended):

npm install -g @shnitzel/plugscout
plugscout setup

plugscout setup is a single command that installs prerequisites, writes default config, and syncs all catalogs. No extra steps needed.

From source:

git clone https://github.com/amitrintzler/plugscout.git plugscout
cd plugscout
git checkout v0.3.4
npm install
npm run setup

Install newest release tag instead of pinning v0.3.4:

git checkout $(git describe --tags --abbrev=0)

Quick Start (2-minute path)

npm install -g @shnitzel/plugscout
plugscout setup
plugscout scan --project . --format table
plugscout recommend --project . --only-safe --sort trust --limit 10

Or from source:

npm install && npm run setup
npm run scan -- --project . --format table
npm run recommend -- --project . --only-safe --sort trust --limit 10 --details

Run plugscout with no args to open the home screen.

Important: top and recommend are repo-aware rankings, not global popularity charts. A higher score means a better match for the current repository under the active policy, using fit + trust + freshness - security - blocked. Review each suggestion before installing, and do not install blindly from rank alone.

Installs are now review-gated: run show --id <catalog-id> or assess --id <catalog-id> before install. Use --override-review only when you intentionally want to bypass that safeguard.

For supported legacy MCP entries, PlugScout now prefers direct installers when the target is unambiguous:

  • npm package targets install through npm install -g
  • container targets install through docker pull
  • ambiguous or binary-asset installs remain explicit/manual

PlugScout also performs a daily interactive update check against GitHub Releases and prints a download hint when a newer release is available.

Video preview/render commands are optional maintainer tooling. They are kept in devDependencies and are not required to install or run the CLI package.

Typical Workflow

Use this lifecycle for day-to-day operation:

npm run sync
npm run scan -- --project . --format table
npm run top -- --project . --limit 5
npm run recommend -- --project . --only-safe --sort trust --limit 10 --explain-scan
npm run assess -- --id mcp:filesystem
npm run install:item -- --id mcp:filesystem --yes

Expected output shape (trimmed):

ID                                TYPE                PROVIDER    RISK      BLOCKED
copilot-extension:actions-...     copilot-extension   github      low(0)    false
claude-plugin:repo-threat-...     claude-plugin       anthropic   low(0)    false
skill:ci-hardening                skill               openai      low(0)    false

Core Commands

| Command | Purpose | | --- | --- | | npm run setup | One-step setup: install prerequisites + init config + sync catalogs | | npm run about | Show version and framework scope | | npm run init | Create project defaults and setup local config (interactive) | | npm run doctor -- --install-deps | Validate runtime prerequisites and bootstrap the skills CLI when missing | | npm run sync | Refresh catalog data from configured registries | | npm run scan -- --project . --format table | Analyze repository capabilities/archetype | | npm run top -- --project . --limit 5 | Show top-ranked items for the current context | | npm run top -- --project . --limit 5 --details | Explain rank math, trust/risk interpretation, and install hint per item | | npm run recommend -- --project . --only-safe --sort trust --limit 10 | Generate policy-aware recommendations | | npm run recommend -- --project . --only-safe --sort trust --limit 10 --details | Include per-item acceptance evidence (provenance, reasons, tradeoffs) | | npm run assess -- --id <catalog-id> | Evaluate risk for one candidate before install | | npm run install:item -- --id <catalog-id> --yes --install-deps | Install a candidate if policy allows and bootstrap supported install deps when requested | | npm run status -- --verbose | Report catalog health, staleness, and policy status | | node dist/cli.js web --open | Generate readable HTML report with score legend and decision cards |

Packaged CLI-only commands:

  • plugscout setup (first-time setup: prerequisites + config + sync in one step)
  • plugscout (home screen)
  • plugscout upgrade check
  • plugscout web --open (readable browser report)
  • plugscout <command> --no-update-check (skip daily auto-check for the current run)

Full command reference: docs/cli-reference.md

Safety Model

PlugScout blocks high-risk and critical installs by default.

| Tier | Score | Default install policy | | --- | --- | --- | | low | 0-24 | allow | | medium | 25-49 | allow with warning | | high | 50-74 | block | | critical | 75-100 | block |

Risk score meaning:

  • 0 is lowest observed risk signal.
  • 100 is highest risk signal.
  • Higher score means higher risk and stronger install gating.

Whitelist and quarantine state are enforced in recommendation and install flows, and can be continuously maintained with daily verification/quarantine automation.

Security deep-dive: docs/security/README.md

Plugin and Connector Catalog Sources

  • Claude plugins: https://claude.com/plugins (scraped with sanitization + host allowlist guards)
  • Claude connectors: https://claude.com/connectors (scraped with sanitization + host allowlist guards)
  • Anthropic GitHub plugin manifests: anthropics/claude-plugins-official, anthropics/knowledge-work-plugins, anthropics/financial-services-plugins
  • GitHub skills marketplaces: numman-ali/n-skills, mhattingpete/claude-skills-marketplace, neondatabase-labs/ai-rules
  • GitHub Claude Code plugin marketplaces: docker/claude-plugins, pleaseai/claude-code-plugins
  • Copilot plugins (official): https://raw.githubusercontent.com/github/copilot-plugins/main/.github/plugin/marketplace.json
  • Copilot plugins (curated): https://raw.githubusercontent.com/github/awesome-copilot/main/.github/plugin/marketplace.json

Legacy endpoints returning 404 are not used for sync anymore:

  • https://api.anthropic.com/v1/plugins/catalog
  • https://api.github.com/copilot/extensions/catalog

Where To Go Next

Contributing

  • Follow repository standards in AGENTS.md.
  • Run checks before opening a PR:
npm run lint
npm run test
npm run build

Support

  • Open an issue in the repository for bugs or feature requests.
  • Include command, input, and output snippets when reporting failures.

License

This repository does not yet include a root LICENSE file. Choose and add one before publishing for third-party reuse.