Integration
Claude Code Plugin
The Sigil Security plugin for Claude Code provides native slash commands, two specialized security agents, and auto-scan hooks that trigger when you clone repos or install packages. Requires Claude Code 1.0.33+ and the Sigil CLI.
Why use the Claude Code plugin
The Claude Code plugin is the recommended way to use Sigil with Claude Code. It provides a higher-level interface than the raw MCP server — slash commands instead of tool calls, specialized agents for threat analysis and quarantine management, and hooks that auto-suggest scanning when you mention cloning, installing, or security.
| Feature | Claude Code Plugin | MCP Server |
|---|---|---|
| Slash commands | Yes | No |
| Specialized agents | Yes | No |
| Auto-scan hooks | Yes | No |
| Works with other AI clients | No | Yes |
| Raw tool-level control | No | Yes |
Installation
1. Install the Sigil CLI
# curl (Linux / macOS)
curl -sSL https://sigilsec.ai/install.sh | sh
# Homebrew
brew install nomark/tap/sigil
# npm
npm install -g @sigilsec/cli2. Add the plugin to Claude Code
Install from the GitHub marketplace:
claude plugin add NOMARJ/sigilOr install from a local checkout:
git clone https://github.com/NOMARJ/sigil.git
claude plugin add ./sigil/plugins/claude-code3. Verify the installation
# Check the plugin is loaded
claude plugin list
# Check Sigil CLI is available
sigil --versionSlash commands
Four slash commands for security scanning directly in your Claude Code session.
/sigil-security:scan-repo
Scan an entire repository for malicious patterns. Runs all six analysis phases and returns a verdict with detailed findings.
/sigil-security:scan-repo /path/to/repo
# Scan the current working directory
/sigil-security:scan-repo ./sigil-security:scan-package
Download and scan an npm or pip package before installation. The package is quarantined and scanned before anything is installed.
# Scan an npm package
/sigil-security:scan-package express
# Scan a pip package
/sigil-security:scan-package requests/sigil-security:scan-file
Scan an individual file for vulnerabilities. Useful for checking a specific file before running or importing it.
/sigil-security:scan-file src/utils/exec.js/sigil-security:quarantine-review
Review all items currently in quarantine. Displays status, risk scores, and provides options to approve or reject each item.
/sigil-security:quarantine-reviewSpecialized agents
Two purpose-built agents provide expert analysis and workflow management beyond what slash commands offer.
@security-auditor
AgentExpert analysis of Sigil scan results. The security-auditor agent interprets findings, identifies threats, explains risk levels, and provides remediation recommendations.
@security-auditor analyze these scan results
@security-auditor is this eval() call safe in context?
@security-auditor explain the risk of this postinstall hook@quarantine-manager
AgentManages the quarantine workflow. The quarantine-manager agent lists quarantined items, guides approval or rejection decisions based on scan results, and coordinates bulk operations.
@quarantine-manager review the latest quarantine
@quarantine-manager approve all low-risk items
@quarantine-manager what's still pending?Auto-scan hooks
The plugin automatically suggests Sigil scans when it detects security-relevant actions in your conversation. No manual invocation needed.
| Trigger | Suggested action |
|---|---|
| git clone <url> | Scan the cloned repository before use |
| pip install <pkg> | Quarantine and scan the package first |
| npm install <pkg> | Quarantine and scan the package first |
| Mentions "security", "scan", "malware" | Offer to run a Sigil scan |
| Mentions "clone", "install", "package" | Suggest scanning before proceeding |
Configuration
Customize plugin behavior through Claude Code's settings.json.
| Setting | Default | Description |
|---|---|---|
| defaultAgent | security-auditor | Which agent handles scan results by default |
| autoApproveThreshold | 0 | Maximum score to auto-approve (0 = score 0 only, 9 = LOW RISK and below) |
Example workflow
A typical session using the Claude Code plugin to audit a package before installation.
You: Install the left-pad package
↓
Plugin: [auto-hook] Suggesting Sigil scan before install
↓
Claude: Running /sigil-security:scan-package left-pad
↓
Sigil: Verdict: LOW RISK | Score: 0 | Findings: 0
↓
Claude: left-pad — no known malicious patterns detected
(score 0). Installing now.
npm install left-pad
↓
You: Now scan the whole project
↓
Claude: Running /sigil-security:scan-repo .
↓
Sigil: Verdict: LOW | Score: 4 | Findings: 2
↓
Claude: @security-auditor analyze these results
↓
Agent: Two low-severity findings in src/api/client.js:
1. Outbound HTTP to external domain (line 42)
2. Base64-encoded config string (line 89)
Both appear to be legitimate usage patterns.
No further action required.Troubleshooting
Plugin not loading
Verify the plugin is installed and Claude Code meets the minimum version:
# Check Claude Code version (requires 1.0.33+)
claude --version
# List installed plugins
claude plugin list
# Reinstall the plugin
claude plugin remove sigil-security
claude plugin add NOMARJ/sigilSigil CLI not found
The plugin requires the Sigil CLI binary in your PATH:
# Verify sigil is installed
which sigil
sigil --version
# If installed via Homebrew but not found, check your PATH
echo $PATH | tr ':' '\n' | grep -i brewSlash commands not appearing
If slash commands don't appear in the autocomplete menu, restart Claude Code and verify the plugin is active:
# Restart Claude Code to reload plugins
claude --reload
# Check plugin status
claude plugin listSee also
- •MCP Server — tool-based integration for Cursor, Windsurf, and other MCP clients
- •CLI Reference — all commands, flags, and scan configuration
- •Configuration — config file, ignore rules, and scan policies
- •Plugin source on GitHub — source code, issues, and contributions
Need help?
Ask a question in GitHub Discussions or check the troubleshooting guide.