sagemaker-ai was dropped from the marketplace in #1762 (validate-plugins
adoption) due to a manifest/YAML error. AWS has since fixed it; the plugin
validates clean at awslabs/agent-plugins@187edde (claude plugin validate passes).
Re-listed as a git-subdir source SHA-pinned to current monorepo HEAD,
matching its sibling AWS entries (deploy-on-aws, databases-on-aws).
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Both plugins in awslabs/agent-plugins had their subpaths edited in commit
187edde (after the morning bump cron pinned them to f16aaf2a), so they fell
behind again on merge. Manual catch-up bump to current monorepo HEAD.
- databases-on-aws: 4 files changed under plugins/databases-on-aws/ (v1.1.0)
- deploy-on-aws: 7 files changed under plugins/deploy-on-aws/ (v1.2.0)
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The nvidia-skills entry was added in PR #2088 with:
"source": {
"source": "git-subdir",
"url": "https://github.com/NVIDIA/skills.git",
"path": "plugins/nvidia-skills",
"ref": "main"
}
It's missing the required `sha` field. The marketplace validator
enforces invariant I5 ("source.sha is missing or not a 40-char hex
SHA") on every git-subdir source — without it, the action fails:
##[error]invariant I5: nvidia-skills: source.sha is missing or not
a 40-char hex SHA
This has been silently failing the "Validate Plugins" CI on every
PR that touches marketplace.json since #2088 merged on 2026-05-03.
Confirmed by checking the last 5 completed validate runs on main —
all 5 ❌, including PR #2114 (security-guidance bump that you merged
earlier today). The validator failure was getting swallowed because
all the other PR-level checks (Check MCP URLs, Scan Plugins, Validate
Plugin Licenses) were passing, and humans were `gh pr merge --admin`-ing
through it.
Fix: add the sha field pinned to the current upstream HEAD of
github.com/NVIDIA/skills.git on the `main` branch.
Resolved via: git ls-remote https://github.com/NVIDIA/skills.git refs/heads/main
SHA: 62b685a20ac45285cafd1e22782abbed33172c17
This mirrors the shape of other git-subdir entries with both `ref`
and `sha` (e.g. 42crunch-api-security-testing pins ref="v1.5.5",
sha="b404d99a...", adobe-for-creativity pins ref="main", sha="8d74ee6b...").
Unblocks every in-flight PR that touches marketplace.json — including
PR #2154 (security-guidance venv-deepdive) which is currently
red-blocked on this.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The 8 PRs we shipped since 2026-05-26 (#2076, #2077, #2078, #2086,
#2091, #2100, #2101, #2105) all changed plugin code without bumping
the version. CC's plugin updater uses string equality for the
freshness check (pluginOperations.ts:1835):
const isUpToDate =
installation.version === newVersion ||
installation.installPath === versionedPath ||
installation.installPath === zipPath
if (isUpToDate) return { alreadyUpToDate: true }
Users who installed v2.0.0 anywhere between 2026-05-26 and 2026-05-31
have `installation.version === "2.0.0"` in their installed_plugins.json.
The marketplace also advertises "2.0.0" (until this commit), so
isUpToDate returns true and the plugin cache directory is never
refreshed — they keep running whatever 2.0.0 code was current on the
day they installed. The marketplace git pull happens; the per-user
cache install does NOT.
Empirical evidence: in BQ today (5/31) on Windows v2.0.0 fires,
**73% emit sdk_bootstrap outcome 4 (SKIP_WIN32)** — a code path
retired in PR #2055's Windows-enable fix. Those users are running a
plugin tree that pre-dates the fix, even though their telemetry
shows pv=20000.
The fix is a one-line version bump. Once the marketplace advertises
2.0.1, every CC autoupdate cycle sees installation.version (2.0.0)
!= newVersion (2.0.1), installs the new version, and the user's next
session loads the fixed code.
This PR:
1. plugins/security-guidance/.claude-plugin/plugin.json: 2.0.0 → 2.0.1
2. .claude-plugin/marketplace.json security-guidance entry: 2.0.0 → 2.0.1
What 2.0.1 carries (versus 2.0.0 as published 5/26):
- #2076 — Graphite gt commit/push detection
- #2077 — hookSpecificOutput.additionalContext on async-rewake exit-2
- #2078 — CLAUDE_CONFIG_DIR support
- #2086 — core.quotePath=false on diff feeders (Arabic/Hebrew/CJK paths)
- #2091 — fix Bash(...|...) if-clause regression from #2076
- #2100 — drop text=True from subprocess.run, bake PYTHONUTF8=1 (Windows non-cp1252 path crash)
- #2101 — core.quotePath=false on GIT_CMD globally
- #2105 — output_format → output_config.format API migration (#2098)
Verified locally:
- plugin.json + marketplace.json both valid JSON.
- _read_plugin_version_int() returns 20001 (was 20000).
- Existing test suite passes — 408 tests, no regressions caused by
the version bump itself. (29 unrelated failures are from
test_telemetry_failure_signals.py which expects PR #2112's
not-yet-merged code.)
Going forward: bumping `patch` on every functional PR closes this
gap entirely. Without that policy, every fix only reaches NEW
installs, never the existing fleet.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Refresh Convex plugin: rename to `convex`, bump SHA to v1.0.1, richer metadata
Picked up from sethconvex's PR #1966 (auto-closed by membership gate).
Original entry added by Tobin in PR #1918 (2026-05-18).
Changes to the Convex marketplace.json entry:
- **Rename slug** `convex-backend` → `convex` to match the single-brand-word
convention used by every peer in the database/backend neighborhood
(`supabase`, `firebase`, `mongodb`, `prisma`, `clickhouse`, `cockroachdb`,
`cloud-sql-postgresql`, `alloydb`). New `displayName: "Convex"` keeps the
directory UI label unchanged.
- **Bump SHA pin to `59663a5`** (plugin v1.0.1) — current HEAD of
`get-convex/convex-backend-skill` `main`. New SHA adds:
- `agents/convex-expert.md` — subagent encoding non-negotiable Convex code
rules (object-form syntax, validator requirements, index naming,
internal-vs-public, schema evolution, resource limits). Loaded only
when delegated to.
- `monitors/monitors.json` — runtime-error monitor streaming
`npx convex logs`, surfacing matched errors as notifications. Self-guards
on unlinked projects. `when: on-skill-invoke:design` so it only starts
after the skill is invoked.
- `.mcp.json` — auto-wires the Convex MCP server
(`npx -y convex@latest mcp start`, local stdio).
- Public-facing README (install / how-to-use / what's bundled / capabilities).
- `paths` gate on the skill — `[convex/**, convex.json, package.json]` for
auto-invocation precision.
- `description` / `when_to_use` split on the skill frontmatter.
- **Refresh marketplace entry metadata** — `displayName`, `keywords` (15
discovery tags), `author.url`, expanded `description`, category changed from
`development` to `database` (matches every peer), `homepage` repointed at the
plugin repo (matches the `supabase` pattern).
Verified locally:
- Author affiliation confirmed: `seth@convex.dev` commit email, write access
to the canonical `get-convex/` org.
- `claude plugin validate`: PASS.
- Static audit: PASS @ 92 (manifest 96, security 93, quality 80, docs 100).
- MCP server is local stdio (`has_remote_mcp=false`) — passes the -official
add-official Phase 2e gate.
Recommender skill changes from the original PR are split into a follow-up.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Re-pin Convex to 5e59870 (post upstream fix merge)
Upstream PR get-convex/convex-backend-skill#1 merged 2026-05-23. The
agents-field array-shape fix now applies; claude plugin validate passes
on both the full plugin (with marketplace.json) and the isolated
plugin.json — including the external-validator gate this PR previously
failed on.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Updates ui5 and ui5-typescript-conversion to the renamed upstream
repo UI5/plugins-coding-agents (formerly UI5/plugins-claude) and
bumps both SHA pins to current upstream main.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds the /create-docker-mcp-tunnel command, which drives the MCP tunnels
Docker Compose quickstart end to end: preflight checks, certificate
generation, proxy config, cloudflared, an optional sample FastMCP server,
and verification from Managed Agents and the Messages API.
Migrated from anthropic-experimental/mcp-tunnel-skills.
🏠 Remote-Dev: homespace
Bumps the mercadopago plugin pin from 1de8d97e to 63ff263c (latest main).
v2 replaces the mcp-launcher.sh keychain-read / npx -y mcp-remote
wrapper with a plain type:"http" MCP entry pointing at
https://mcp.mercadopago.com/mcp, and consolidates 13 skills into 4
orchestration skills. The pinned SHA also includes the May 19 fix
that gates the PreToolUse hook on project relevance so it no longer
runs on unrelated projects.
Description updated to match the partner's v2 self-description.
https://claude.ai/code/session_01KRC2Uv6UaFFdrt7sjn45yT
Co-authored-by: Claude <noreply@anthropic.com>
* Bump 26 plugin SHA pins to upstream HEAD
* Revert mercadopago SHA bump
The new upstream SHA adds a PreToolUse hook that fires on every
Bash/Edit/Write/Read in all sessions and globally blocks reading .env
files, regardless of project relevance. The policy scan flags this as
out of scope for what the plugin description advertises. Leave at the
prior pin until the upstream gates the hook on project relevance.
* Fix broken plugin source configs and bump their SHAs
Several external plugins had source configs that no longer matched the
upstream layout, so the automated SHA bump skipped them indefinitely.
Add the missing path field where the manifest moved into a subdirectory,
correct stale ref/commit metadata, and update the skills list for the
one strict:false skills-only entry.
- rc, revenuecat: upstream moved the plugin from repo root into
revenuecat/. Add path and bump SHA.
- zilliz: plugin moved from repo root into plugins/zilliz/. Add path
and bump SHA.
- sumup: plugin lives at providers/claude/plugin/ (declared by the
upstream marketplace.json) but our entry never had a path. Add it
and bump SHA.
- mintlify: pure SHA bump. Repo layout unchanged between SHAs; the
upstream remains a marketplace-style repo with no plugin.json, same
as the currently pinned SHA.
- netsuite-suitecloud (strict:false skills entry): bump SHA and add
the four new skill directories upstream added since the last pin.
- 42crunch-api-security-testing: ref said v1.0.1 but the pinned SHA
is actually v1.5.5. Correct the label; the SHA is already current.
- jfrog: commit and sha fields had drifted apart. Set both to
upstream HEAD.
Each new SHA verified to be on the upstream default branch and the
referenced manifest validated with claude plugin validate.
* Revert mintlify and netsuite-suitecloud changes
The validate-plugins check requires a plugin manifest at the pinned SHA
even for strict:false entries. Neither repo has one at any SHA, so a
SHA bump fails CI. Leave them at the existing pin until either the
upstream adds a manifest or the validator learns to honor strict:false.
* chore: modify data-agent-kit-starter-pack plugin details
Updated the description and homepage of the data-agent-kit-starter-pack plugin, and changed the SHA.
* update sha for latest commit
The ServiceNow/sdk repository's default branch is 'master' and there is
no 'main' branch. The pinned SHA (06adf37) is the current head of
'master'. Update the ref so future SHA bumps target the correct branch.
Adds the airtable marketplace entry. Sourced from Airtable/skills at
plugins/airtable, pinned to aaeb4f3e (latest main, tag 2026-05-06).
Bundles the official Airtable MCP server (mcp.airtable.com/mcp) plus
skills for the Airtable data model and filter syntax.
https://claude.ai/code/session_01Vom6RzMA4p6erqGiZxg8yE
Co-authored-by: Claude <noreply@anthropic.com>
Mercado Pago full-product integration toolkit — 13 skills, agents, and a
bundled MCP for live API data. Sourced from
mercadopago/mercadopago-claude-marketplace at plugins/mercadopago, pinned
to 1de8d97e.
Closes#1272https://claude.ai/code/session_01XCupEyAPLqxo2eHgVoWevi
Co-authored-by: Claude <noreply@anthropic.com>
CAP CDS work as one cohesive unit, split out of #1616 to keep that PR
narrowly scoped to sap-hana-cli (which is currently held on an upstream
plugin.json fix).
- Adds new sap-cds-mcp entry alongside existing cds-mcp (additive,
non-breaking — both point to cap-js/mcp-server). Pinned at 8ce2e13a.
- Adds the unified SAP SE author block to existing cds-mcp.
Per the SAP namespace policy agreed with SAP (Tobin 2026-04-29 +
Florian/Klaus/Avital 2026-05-04 email).
Metadata-only refresh per the SAP namespace policy (Florian/Klaus/Avital,
2026-05-04). No slug renames, no new entries.
- sap-mdk-server: expand author from {"name":"SAP"} to the unified
SAP SE block with ospo@sap.com.
- ui5: add unified UI5 author block (openui5@sap.com per Florian's
carve-out for the SAPUI5/OpenUI5 brand).
- ui5-typescript-conversion: same UI5 author block as ui5.
Split out of #1616 to keep that PR scoped to sap-hana-cli only.
MCP server for SAP Fiori development tools — build and modify SAP Fiori
applications with AI assistance. Pinned at d9d4ab7e (latest main of
SAP/open-ux-tools).
