Skip to content

feat(mcp): add Claude Code Plugins marketplace services #279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jeremylongshore wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(mcp): add Claude Code Plugins marketplace services #279

jeremylongshore wants to merge 1 commit into from

Conversation

@jeremylongshore
Copy link

@jeremylongshore jeremylongshore commented Jan 3, 2026
edited by qodo-free-for-open-source-projects bot
Loading

User description

Summary

Adds 3 MCP services from Claude Code Plugins Marketplace to ZCF's preset list.

New Services

Service Description
project-health-auditor Analyze code health, complexity, and test coverage gaps
design-to-code Convert Figma designs/screenshots to React/Vue/Svelte
conversational-api-debugger Debug REST APIs using OpenAPI specs and HTTP logs

Why Add These?

Claude Code Plugins is a marketplace with 258 plugins and 7 MCP servers. These 3 are our most popular:

Changes

  • src/config/mcp-services.ts - Added 3 service configs
  • src/i18n/locales/en/mcp.json - English translations
  • src/i18n/locales/zh-CN/mcp.json - Chinese translations

Testing

All services use npx -y @claude-code-plugins-plus/[package]@latest pattern matching existing ZCF services.

Links

PR Type

Enhancement

Description

  • Adds 3 Claude Code Plugins marketplace MCP services

    • project-health-auditor: Code health and coverage analysis
    • design-to-code: Figma/screenshot to component conversion
    • conversational-api-debugger: REST API debugging with OpenAPI

  • Includes English and Chinese translations for all services

  • Services require no API keys and use npx execution pattern

Diagram Walkthrough

flowchart LR
  A["Claude Code Plugins<br/>Marketplace"] -->|"3 new services"| B["MCP Service Configs"]
  B -->|"project-health-auditor"| C["Code Analysis"]
  B -->|"design-to-code"| D["Design Conversion"]
  B -->|"conversational-api-debugger"| E["API Debugging"]
  B -->|"i18n translations"| F["EN & ZH-CN"]
Loading

File Walkthrough
Relevant files
Enhancement
mcp-services.ts
Add 3 Claude Code Plugins MCP service configs                       

src/config/mcp-services.ts

  • Added 3 new MCP service configurations from Claude Code Plugins
    Marketplace
  • Each service configured with npx command and latest package version
  • Added service entries to getMcpServices() function with i18n
    translations
  • All services marked as requiresApiKey: false
 +47/-0   
Documentation
mcp.json
Add English translations for new services                               

src/i18n/locales/en/mcp.json

  • Added English translations for project-health-auditor service
  • Added English translations for design-to-code service
  • Added English translations for conversational-api-debugger service
  • Translations include service names and detailed descriptions
 +6/-0     
mcp.json
Add Chinese translations for new services                               

src/i18n/locales/zh-CN/mcp.json

  • Added Chinese translations for project-health-auditor service
  • Added Chinese translations for design-to-code service
  • Added Chinese translations for conversational-api-debugger service
  • Translations include service names and detailed descriptions
 +6/-0     

@jeremylongshore
feat(mcp): add Claude Code Plugins marketplace services
611ef8d 
Adds 3 MCP services from Claude Code Plugins Marketplace:
- project-health-auditor: Code health, complexity, coverage analysis
- design-to-code: Figma/screenshot to React/Vue/Svelte components
- conversational-api-debugger: REST API debugging with OpenAPI specs

Marketplace: https://claudecodeplugins.io/
Repository: https://github.com/jeremylongshore/claude-code-plugins-plus-skills

Includes English and Chinese translations.
@qodo-free-for-open-source-projects
Copy link

qodo-free-for-open-source-projects bot commented Jan 3, 2026

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🔴
Supply chain vulnerability

Description: Using npx -y with @latest version automatically installs and executes untrusted
third-party packages without version pinning, allowing potential supply chain attacks
through package updates.
mcp-services.ts [96-117]

Referred Code 
    command: 'npx',
    args: ['-y', '@claude-code-plugins-plus/project-health-auditor@latest'],
    env: {},
  },
},
{
  id: 'design-to-code',
  requiresApiKey: false,
  config: {
    type: 'stdio',
    command: 'npx',
    args: ['-y', '@claude-code-plugins-plus/design-to-code@latest'],
    env: {},
  },
},
{
  id: 'conversational-api-debugger',
  requiresApiKey: false,
  config: {
    type: 'stdio',
    command: 'npx',


 ... (clipped 1 lines)
Ticket Compliance
🟡
🎫 #184
🔴 Enable user to actively accept code changes before execution in Mac terminal CC
Provide configuration option to review code changes before accepting them
Prevent automatic code updates without user review
Codebase Duplication Compliance
Codebase context is not defined

Follow the guide to enable codebase context checks.

Custom Compliance
🟢
Generic: Comprehensive Audit Trails

Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Meaningful Naming and Self-Documenting Code

Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Robust Error Handling and Edge Case Management

Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Error Handling

Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Logging Practices

Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Security-First Input Validation and Data Handling

Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities

Status:
External Package Execution: The services execute external npm packages using npx -y @claude-code-plugins-plus/*@latest
without validation of package integrity or version pinning, which could introduce supply
chain security risks.

Referred Code 
    command: 'npx',
    args: ['-y', '@claude-code-plugins-plus/project-health-auditor@latest'],
    env: {},
  },
},
{
  id: 'design-to-code',
  requiresApiKey: false,
  config: {
    type: 'stdio',
    command: 'npx',
    args: ['-y', '@claude-code-plugins-plus/design-to-code@latest'],
    env: {},
  },
},
{
  id: 'conversational-api-debugger',
  requiresApiKey: false,
  config: {
    type: 'stdio',
    command: 'npx',


 ... (clipped 1 lines)

Learn more about managing compliance generic rules or creating your own custom rules
Compliance status legend 🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

@qodo-free-for-open-source-projects
Copy link

qodo-free-for-open-source-projects bot commented Jan 3, 2026

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
High-level
Pin external service versions for security

Instead of using @latest, pin the versions of the external packages executed via
npx. This prevents security vulnerabilities and breaking changes from unvetted
updates.

Examples:

src/config/mcp-services.ts [97] 
      args: ['-y', '@claude-code-plugins-plus/project-health-auditor@latest'],
src/config/mcp-services.ts [107] 
      args: ['-y', '@claude-code-plugins-plus/design-to-code@latest'],

Solution Walkthrough:

Before:

const MCP_SERVICE_CONFIGS: McpServiceConfig[] = [
  // ...
  {
    id: 'project-health-auditor',
    requiresApiKey: false,
    config: {
      type: 'stdio',
      command: 'npx',
      args: ['-y', '@claude-code-plugins-plus/project-health-auditor@latest'],
      env: {},
    },
  },
  // ... other services using @latest
];

After:

const MCP_SERVICE_CONFIGS: McpServiceConfig[] = [
  // ...
  {
    id: 'project-health-auditor',
    requiresApiKey: false,
    config: {
      type: 'stdio',
      command: 'npx',
      args: ['-y', '@claude-code-plugins-plus/[email protected]'], // Pinned to a specific version
      env: {},
    },
  },
  // ... other services using pinned versions
];
Suggestion importance[1-10]: 10

__

Why: This suggestion correctly identifies a critical security and stability risk in using @latest with npx, which could execute unvetted remote code, and recommends the best practice of pinning versions.

High
  • More

@codecov
Copy link

codecov bot commented Jan 4, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Review effort 2/5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jeremylongshore