claude-plugins-reference-2026

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The reference explicitly describes installing plugins and marketplaces that pull plugin code and SKILL.md/agent files from public third-party sources (e.g., marketplace.json entries with "source": "github" or "url" and plugin "source" fields), which Claude automatically discovers and invokes—meaning untrusted, user-generated content from those repos/URLs would be fetched and could directly influence tool use and agent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The documentation explicitly shows runtime fetching of external git plugin sources (e.g., https://gitlab.com/team/plugin.git), and fetched plugin repos can contain skills, agents, hooks (command/prompt) and MCP servers that will be executed or injected into agent prompts at runtime, so this is a high-confidence runtime external dependency that can control prompts or execute code.