AI coding assistants have rapidly evolved from simple autocomplete engines into fully autonomous agents capable of executing code, managing files, and spawning subprocesses on behalf of the developer. Claude Code, Anthropic’s terminal-based coding agent, ships with a plugin ecosystem that significantly extends this capability surface. That same extensibility introduces a set of security concerns worth examining in detail.
This post covers the Claude Code plugin architecture from a security perspective: marketplaces, skill injection, hooks as a shell execution primitive, process tree inheritance, and the TCC permission model on macOS.