ccpi-marketplace
Pass
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches the
ccpiCLI tool from the NPM registry via@intentsolutionsio/ccpiusingpnpm. - [EXTERNAL_DOWNLOADS]: Downloads and adds plugin packs from the
jeremylongshore/claude-code-plugins-plus-skillsrepository on GitHub. - [COMMAND_EXECUTION]: Uses the
Bashtool to executeccpimarketplace commands, including search, install, list, and update operations. - [PROMPT_INJECTION]: The skill provides an interface to a marketplace (tonsofskills.com) which introduces a surface for indirect prompt injection via third-party plugin content.
- Ingestion points: Marketplace search results and plugin metadata from GitHub.
- Boundary markers: None explicitly defined for external content processing.
- Capability inventory:
Bash,WebFetch,Read,Write. - Sanitization: Relies on the underlying agent platform's plugin validation and the
ccpitool's handling.
Audit Metadata