Central plugin registry for the devflow toolchain — install Claude Code plugins with a single command.
claude plugins install https://github.com/bluejayA/devflow-marketplace.gitThis gives you access to all registered plugins and their skills.
| Plugin | Version | Description |
|---|---|---|
| aidlc | 1.12.0 | AI-DLC methodology workflow plugin (orchestrator-centric, 28 skills + 3 utils, advisory mid-cycle sync, memory templates for best-practice delegation, 4-stage code review) |
| reverse-engineering | 0.4.0 | Brownfield codebase analysis (4-phase pipeline, 3 modes) |
| skill-security-audit | 2.0.0 | Skill security gatekeeper (35 rules, OWASP AST10) |
Standalone skills shipped directly in this repository (skills/ directory):
| Skill | Version | Description |
|---|---|---|
| cargo-review | 2.0.0 | Rust code review (Correctness/Style/Suggestions 3-axis report, parallel subagent, refactoring mode) |
Add your skill directly to the skills/ directory via PR:
# Fork this repo, then:
mkdir -p skills/my-skill
# Create skills/my-skill/SKILL.md with your skill definition
git add skills/my-skill
git commit -m "feat: add my-skill"
# Push and create PRAdd your plugin URL to marketplace.json via PR:
{
"name": "my-plugin",
"source": {
"source": "url",
"url": "https://github.com/your-org/your-plugin.git"
},
"revision": "<full commit SHA>",
"description": "Your plugin description",
"version": "1.0.0",
"strict": false
}Requirements:
urlmust behttps://github.com/(other protocols are blocked)revisionmust be a full 40-character commit SHA- Your plugin repo must have
skills/*/SKILL.mdstructure
Every PR is automatically audited by skill-security-audit:
| Workflow | Trigger | What it does |
|---|---|---|
| Skill Audit Gate | All PRs | Reports audit scope, always passes |
| Skill Audit: Direct | skills/** changes |
Audits skill files in the PR |
| Skill Audit: Remote | marketplace.json changes |
Clones plugin repo, audits all skills |
- PASSED — No issues, safe to merge
- PASSED with warnings — HIGH/MEDIUM findings, review recommended
- BLOCKED — CRITICAL findings, must fix before merge (check shows red X)
- 2-job isolation: Scan job (read-only) and report job (write permissions) are separated
- Base branch audit tool: Audit tool is loaded from main branch, not PR (prevents tampering)
- URL allowlist: Only
https://github.com/URLs accepted - Revision pinning: Audits are reproducible via immutable commit SHA
- Fail-Closed: If the audit tool fails to run, the result is BLOCKED (never silent PASSED)
Run the audit locally to catch issues early:
claude plugins install https://github.com/bluejayA/skill-security-audit.git
claude "skill-security-audit 스킬로 ./skills/my-skill 을 검사해줘"See the Local Verification Guide and CI Integration Guide for details.
End-to-end verification performed on 2026-04-02:
| Test | Scenario | Result |
|---|---|---|
| Gate Only | PR with no audit targets | PASS — Gate success, Direct/Remote skipped |
| Direct Clean | Safe skill submission | PASS — PASSED verdict, PR comment posted |
| Direct Dangerous | Malicious skill (4 CRITICAL findings) | PASS — BLOCKED, check failure |
| Remote Plugin | marketplace.json revision change | PASS — External repo cloned and audited |
| URL Allowlist | file:///etc/passwd blocked |
PASS — Rejected in 5 seconds |
| Fail-Closed | Missing API key | PASS — BLOCKED (not silent PASSED) |
devflow 도구 모음의 중앙 플러그인 레지스트리입니다.
claude plugins install https://github.com/bluejayA/devflow-marketplace.git- Direct:
skills/디렉토리에 직접 스킬 추가 PR - Remote:
marketplace.json에 플러그인 URL 등록 PR
모든 PR은 skill-security-audit으로 자동 감사됩니다. CRITICAL 발견 시 머지가 차단됩니다.
제출 전 로컬 검증을 권장합니다: 로컬 검증 가이드
MIT