How Leopoldo Security-Tests Every Plugin Before Release

A Claude Code plugin runs inside your session with the same access you have. It can read files, execute commands, and interact with your codebase. This is what makes plugins powerful, and it is exactly why security testing is non-negotiable.

When you install a plugin into your .claude/ directory, you're trusting that its agents, orchestrators, and hooks will behave as advertised. That trust needs to be earned through rigorous, verifiable testing, not just promises.

The Threat Model

Before explaining what we test, it helps to understand what we're testing against.

Prompt Injection

A malicious or poorly constructed plugin could include instructions that override user intent, exfiltrate data through crafted outputs, or manipulate Claude Code into performing unintended actions.

Unsafe Patterns

Plugins that execute shell commands, access network resources, or modify system files need particular scrutiny. Even well-intentioned code can introduce vulnerabilities through unsafe patterns.

Supply Chain Risk

As plugins receive updates, every new version is a potential vector. A compromised update could affect every user simultaneously. This makes update-time security testing critical.

Leopoldo's Testing Process

Stage 1: Automated Static Analysis

Every plugin, and every update, passes through automated static analysis before release. This includes:

**Semgrep scanning** for known vulnerability patterns, unsafe code constructs, and suspicious instructions. Custom rulesets are tuned specifically for Claude Code plugin structures.

**CodeQL analysis** for deeper semantic vulnerability detection. This catches issues that pattern matching alone would miss, including data flow problems and logic vulnerabilities.

**Structure validation** ensuring the plugin conforms to expected formats: correct directory structure, valid configuration files, no unexpected executable content.

Stage 2: Manual Review

Automated tools catch known patterns. Manual review catches everything else. Every plugin release is reviewed for:

• Instruction clarity and intent alignment
• Absence of data exfiltration patterns
• Appropriate scope boundaries
• Methodology correctness
• Behavioral consistency with documented capabilities

This isn't a rubber stamp. Review regularly catches issues that require revision before release.

Stage 3: Version Pinning and Controlled Delivery

Once a version passes both automated and manual review, it's pinned in Leopoldo's version database. The update system only delivers versions that have completed the full testing pipeline.

This means there's no path from "code written" to "on your machine" that bypasses security testing. Every version, every update, every patch goes through the same process.

The Update Security Guarantee

Because Leopoldo plugins receive updates, the security of the update pipeline is as important as the security of the initial release. Here's how updates are secured:

**Pre-release testing:** Every update passes the full Semgrep + CodeQL + manual review pipeline before it's made available.

**Version verification:** The update engine verifies version integrity before installation. Updates are downloaded from Leopoldo's authenticated API, not from arbitrary sources.

**Atomic updates:** Updates install as complete packages, not partial patches. This eliminates the risk of corrupted partial updates leaving the plugin in an inconsistent state.

Trust Through Transparency

We believe security claims should be verifiable, not just stated. Every plugin at leopoldo.ai includes documentation of its capabilities and scope. You know exactly what each plugin does, what it accesses, and how it behaves, before you request access.

Explore the full catalog and see what security-tested, professionally maintained plugins look like at leopoldo.ai.