Anthropic dropped a free Claude Code plugin that flags risky code as it's being written. If you're building with AI but can't read code, this is your safety net. Here's what it catches and how to turn it on.
So many people are vibe coding now, building real apps and tools with AI without knowing how to read code. The scary part nobody mentions: if you can't read it, you have no idea whether what you're shipping is safe. You could push something with a serious security hole and never know.
Anthropic's new security-guidance plugin for Claude Code is the fix. It watches the code as Claude writes it and flags the dangerous patterns before they go live, like a security expert looking over your shoulder the whole time. It's free, and once it's on, it just runs.
You install it once inside a Claude Code session, and from then on it runs automatically in the background. There's nothing to remember and no command to trigger.
Run this in Claude Code
/plugin install security-guidance@claude-plugins-official
Good to know
It's free on every Claude plan, and the per-edit checks are simple pattern matches, so they add no extra usage cost. The warnings are scoped to your session, so you only see each one once instead of getting nagged.
The plugin watches for the common ways AI-written code goes wrong. You don't need to understand the technical names, just know it's covering the stuff that actually gets people hacked:
· Command injection — code that could let an attacker run their own commands on your system.
· Unsafe HTML / cross-site scripting — the kind of bug that lets someone inject malicious scripts into your app or site.
· Dangerous Python patterns — things like unsafe eval() and risky data loading that can open a backdoor.
It works in three layers: a quick check on every edit, a deeper review at the end of each turn, and the deepest review when Claude commits code. In Anthropic's own testing, it cut security issues in pull requests by 30 to 40%.
Be clear on one thing: the plugin flags risky code, it doesn't silently rewrite everything for you. But because it flags the problem right there in your session, Claude can fix it on the spot, before it ever ships. That's the whole point: catch it while you're building, not after a stranger finds it.
It's also not a replacement for real security review on anything handling money, passwords, or sensitive customer data. For a hobby app or an MVP, it's a huge safety upgrade. For anything serious, treat it as your first line of defense, not your only one.
Do this
When the plugin flags something, don't just dismiss it. Tell Claude: "Explain this security warning in plain terms and fix it the safest way." You'll learn what the risk was and ship the safer version in the same breath.
The Only AI Masterclass You Need
If this guide helped, but you’re looking to go deeper, I got you!! My 30-Day Challenge takes you from saving AI tips you never use to actually building with AI, step-by-step.
I show you exactly how I automated two e-commerce brands, my social media, and most of my personal life, then hand you the agents, workflows & systems to do the same. I’m teaching you every single thing I know with one lesson and one build a day.
Join the AI Masterclass →© 2026 Mariah Brunner. All rights reserved.