npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@shnitzel/plugscout

v0.3.35

Published

Claude plugins + Claude connectors + Copilot extensions + Skills + MCP security intelligence framework

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

gameofoptionsgameofoptions

Keywords

cliskillsmcpclaude-plugincopilot-extensionsecurityrecommendation

Readme

PlugScout helps teams discover, score, and safely install Claude plugins, Claude connectors, Copilot extensions, Cursor extensions, Gemini extensions, Skills, and MCP servers with policy-aware risk controls.

See PlugScout in action

Watch the PlugScout walkthrough

Quick links:

What is PlugScout?

PlugScout is a Node.js CLI that unifies multiple AI tooling ecosystems into one searchable catalog and applies trust/risk policy before installation.

You can:

  • Discover Claude plugins, Claude connectors, Copilot extensions, Cursor extensions, Gemini extensions, Skills, and MCP servers from one place.
  • Score candidates using trust-first ranking.
  • Run live security checks: OSV vulnerability database, npm deprecation, VS Code Marketplace, GitHub repo health.
  • Enforce install gates using whitelist + quarantine policy.
  • Wire PlugScout as an MCP tool into Cursor, Gemini CLI, Claude Desktop, and other AI clients.
  • Run continuous checks in CI and scheduled workflows.

Who this is for

  • Teams managing AI tooling catalogs across providers.
  • Developers who want safe recommendations for a specific repository.
  • Maintainers responsible for whitelist/quarantine governance.

Prerequisites

  • Node.js >=20 and npm — that's it.

No manual setup required. Run plugscout setup once and it takes care of everything else: installs required CLI dependencies, writes your config, and syncs all catalogs. You don't need to install or configure anything by hand.

Install PlugScout

Global install (recommended):

npm install -g @shnitzel/plugscout
plugscout setup

plugscout setup installs prerequisites, writes default config, and syncs all catalogs. No extra steps needed.

From source:

git clone https://github.com/amitrintzler/plugscout.git plugscout
cd plugscout
git checkout $(git describe --tags --abbrev=0)
npm install
npm run setup

Your first scan

plugscout setup                                         # install deps, write config, sync catalogs
plugscout scan --project . --format table               # analyze your repo
plugscout recommend --project . --only-safe --limit 5   # top safe picks for your stack

Expected output:

ID                                TYPE                PROVIDER    RISK      BLOCKED
mcp:filesystem                    mcp                 mcp         low(10)   false
copilot-extension:repo-security   copilot-extension   github      low(0)    false
skill:secure-prompting            skill               openai      low(0)    false

Review any result with plugscout show --id <id>, then install with plugscout install --id <id> --yes.

Quick Start

npm install -g @shnitzel/plugscout
plugscout setup
plugscout scan --project . --format table
plugscout recommend --project . --only-safe --sort trust --limit 10

Or from source:

npm install && npm run setup
npm run scan -- --project . --format table
npm run recommend -- --project . --only-safe --sort trust --limit 10 --details

Run plugscout with no args to open the home screen.

Important: top and recommend are repo-aware rankings, not global popularity charts. A higher score means a better match for the current repository under the active policy, using fit + trust + freshness - security - blocked. Review each suggestion before installing, and do not install blindly from rank alone.

Installs are now review-gated: run show --id <catalog-id> or assess --id <catalog-id> before install. Use --override-review only when you intentionally want to bypass that safeguard.

For supported legacy MCP entries, PlugScout now prefers direct installers when the target is unambiguous:

  • npm package targets install through npm install -g
  • container targets install through docker pull
  • ambiguous or binary-asset installs remain explicit/manual

PlugScout also performs a daily interactive update check against GitHub Releases and prints a download hint when a newer release is available.

Video preview/render commands are optional maintainer tooling. They are kept in devDependencies and are not required to install or run the CLI package.

Typical Workflow

Use this lifecycle for day-to-day operation:

npm run sync
npm run scan -- --project . --format table
npm run top -- --project . --limit 5
npm run recommend -- --project . --only-safe --sort trust --limit 10 --explain-scan
npm run assess -- --id mcp:filesystem
npm run install:item -- --id mcp:filesystem --yes

Expected output shape (trimmed):

ID                                TYPE                PROVIDER    RISK      BLOCKED
copilot-extension:actions-...     copilot-extension   github      low(0)    false
claude-plugin:repo-threat-...     claude-plugin       anthropic   low(0)    false
skill:ci-hardening                skill               openai      low(0)    false

Live Security Checks

plugscout show and plugscout assess run real-time checks against external sources when displaying an item:

| Source | What's checked | | --- | --- | | OSV.dev | Known CVEs for npm packages | | npm registry | Package deprecation status + latest version | | VS Code Marketplace | Publisher domain verification, install count, last updated (cursor-extension) | | GitHub | Repository archived / disabled / last push date | | Install URL | HTTP reachability (claude-plugin / claude-connector) |

Results are cached for 1–6 hours. Skip them with --no-live:

plugscout show --id mcp:filesystem           # with live checks (default)
plugscout show --id mcp:filesystem --no-live # skip network checks

Client Setup (Cursor, Gemini, Claude)

Wire PlugScout as an MCP tool into your AI client so you can search and assess items from inside the assistant:

plugscout client setup --client cursor          # writes ~/.cursor/mcp.json
plugscout client setup --client gemini          # writes ~/.gemini/settings.json
plugscout client setup --client claude-desktop  # writes Claude Desktop config
plugscout client setup --client windsurf        # writes ~/.windsurf/mcp.json
plugscout client setup --client opencode        # writes ~/.opencode/mcp.json
plugscout client setup --client zed             # writes ~/.config/zed/settings.json

# Project-scoped (Cursor only):
plugscout client setup --client cursor --scope project   # writes .cursor/mcp.json

After setup, the assistant can call search_catalog, get_item, and list_catalog directly. Run plugscout doctor to verify the config was detected.

Sync

Pull latest entries from all registries:

plugscout sync               # skip registries synced within the last 6 hours
plugscout sync --force       # re-fetch everything regardless of cache age

First sync timing: The MCP registry (registry.modelcontextprotocol.io) contains 10,000+ servers and is fetched in paginated batches. The first full sync takes 5–8 minutes. Subsequent syncs are cached for 6 hours and complete in seconds. Progress is printed per page so you can see it working.

Cursor and Gemini extension lists are served from raw.githubusercontent.com and auto-update on each sync.

Core Commands

| Command | Purpose | | --- | --- | | npm run setup | One-step setup: install prerequisites + init config + sync catalogs | | npm run about | Show version and framework scope | | npm run init | Create project defaults and setup local config (interactive) | | npm run doctor -- --install-deps | Validate runtime prerequisites and bootstrap the skills CLI when missing | | npm run sync | Refresh catalog data from configured registries | | npm run scan -- --project . --format table | Analyze repository capabilities/archetype | | npm run top -- --project . --limit 5 | Show top-ranked items for the current context | | npm run top -- --project . --limit 5 --details | Explain rank math, trust/risk interpretation, and install hint per item | | npm run recommend -- --project . --only-safe --sort trust --limit 10 | Generate policy-aware recommendations | | npm run recommend -- --project . --only-safe --sort trust --limit 10 --details | Include per-item acceptance evidence (provenance, reasons, tradeoffs) | | npm run assess -- --id <catalog-id> | Evaluate risk for one candidate before install | | npm run install:item -- --id <catalog-id> --yes --install-deps | Install a candidate if policy allows and bootstrap supported install deps when requested | | npm run status -- --verbose | Report catalog health, staleness, and policy status | | node dist/cli.js web --open | Generate readable HTML report with score legend and decision cards |

Packaged CLI-only commands:

  • plugscout setup (first-time setup: prerequisites + config + sync in one step)
  • plugscout (home screen)
  • plugscout upgrade check
  • plugscout web --open (readable browser report)
  • plugscout client setup --client <cursor|gemini|claude-desktop|windsurf|opencode|zed> (wire PlugScout as MCP tool)
  • plugscout <command> --no-update-check (skip daily auto-check for the current run)

Kind aliases (--kind flag accepts short names):

| Alias | Resolves to | | --- | --- | | skills | skill | | mcps | mcp | | plugins | claude-plugin | | connectors | claude-connector | | extensions | copilot-extension | | cursor, cursor-extensions | cursor-extension | | gemini, gemini-extensions | gemini-extension |

Full command reference: docs/cli-reference.md

Safety Model

PlugScout blocks high-risk and critical installs by default.

| Tier | Score | Default install policy | | --- | --- | --- | | low | 0-24 | allow | | medium | 25-49 | allow with warning | | high | 50-74 | block | | critical | 75-100 | block |

Risk score meaning:

  • 0 is lowest observed risk signal.
  • 100 is highest risk signal.
  • Higher score means higher risk and stronger install gating.

Whitelist and quarantine state are enforced in recommendation and install flows, and can be continuously maintained with daily verification/quarantine automation.

Security deep-dive: docs/security/README.md

Catalog Sources

Claude plugins / connectors:

  • https://claude.com/plugins and https://claude.com/connectors (scraped with sanitization + host allowlist guards)
  • Anthropic GitHub manifests: anthropics/claude-plugins-official, anthropics/knowledge-work-plugins, anthropics/financial-services-plugins
  • GitHub Claude Code plugin marketplaces: docker/claude-plugins, pleaseai/claude-code-plugins

Skills:

  • numman-ali/n-skills, mhattingpete/claude-skills-marketplace, neondatabase-labs/ai-rules

Copilot extensions:

  • Official: https://raw.githubusercontent.com/github/copilot-plugins/main/.github/plugin/marketplace.json
  • Curated: https://raw.githubusercontent.com/github/awesome-copilot/main/.github/plugin/marketplace.json

Cursor extensions:

  • Curated list served from this repository (assets/registries/cursor-extensions.json) — auto-updated on each sync

Gemini extensions:

  • Curated MCP servers for Gemini CLI, served from this repository (assets/registries/gemini-extensions.json) — auto-updated on each sync

MCP servers:

  • Public MCP directory (10k+ entries)

Legacy endpoints returning 404 are not used for sync anymore:

  • https://api.anthropic.com/v1/plugins/catalog
  • https://api.github.com/copilot/extensions/catalog

Where To Go Next

Contributing

  • Follow repository standards in AGENTS.md.
  • Run checks before opening a PR:
npm run lint
npm run test
npm run build

Support

  • Open an issue in the repository for bugs or feature requests.
  • Include command, input, and output snippets when reporting failures.

License

MIT. Copyright (c) 2026 Amit Rintzler. Reuse is allowed, but redistributed copies must keep the copyright and license notice.