Claude code plugin submission

[edgarsskore]

User description

Summary by CodeRabbit

• New Features

  • Introduced Desktop Commander plugin for Claude Code, enabling persistent terminal sessions, filesystem access, document/CSV handling, process management, and SSH capabilities.

• Documentation

  • Added plugin documentation and usage instructions covering common workflows and best practices.

---

CodeAnt-AI Description

Add the Desktop Commander plugin for Claude Code

What Changed

• Added a Claude Code plugin for Desktop Commander so users can install and use a local MCP server for terminal work, file access, document handling, process management, and SSH sessions
• Added a skill guide that tells Claude when to use Desktop Commander for persistent shells, long-running commands, large local files, CSV analysis, and remote machines
• Added plugin metadata and usage notes so the plugin can be discovered, installed, and understood in Claude Code

Impact

✅ Easier access to local files and terminals
✅ Fewer steps for long-running shell and SSH work
✅ Clearer guidance for document and data tasks

🔄 Retrigger CodeAnt AI Review

Details

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c2c0c1b3-f112-48b1-b1f7-01cb1bbebe9e

📥 Commits

Reviewing files that changed from the base of the PR and between 4a9ba60 and 102d782.

📒 Files selected for processing (2)

• .claude-plugin/marketplace.json
• plugins/claude/.claude-plugin/plugin.json

✅ Files skipped from review due to trivial changes (2)

• .claude-plugin/marketplace.json
• plugins/claude/.claude-plugin/plugin.json

---

📝 Walkthrough

Walkthrough

Adds plugin manifests, documentation, and skill descriptions for "desktop-commander", a Claude Code plugin enabling terminal command execution, process management, and filesystem operations through a local MCP server.

Changes

Cohort / File(s)	Summary
Plugin Manifests .claude-plugin/marketplace.json, plugins/claude/.claude-plugin/plugin.json	Introduces marketplace listing and Claude plugin manifests declaring "desktop-commander" plugin metadata, MCP server configuration (@wonderwhy-er/desktop-commander@latest), author details, and version information.
Documentation & Skills plugins/claude/README.md, plugins/claude/skills/desktop-commander-overview/SKILL.md	Provides user-facing documentation covering plugin capabilities, installation instructions, usage workflows (terminal sessions, filesystem access, process management, SSH), and detailed skill documentation with end-to-end examples and operational conventions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• Add Cursor plugin metadata #456: Both PRs add marketplace and plugin manifests for "desktop-commander" with matching MCP server registration entries.

Suggested reviewers

• wonderwhy-er

Poem

🐰 A plugin hops into the scene so bright,
With manifests, skills, and docs done right,
Desktop Commander stands ready and tall,
Terminal magic for Claude's call!
Let the workflows flow and the processes play! 🎩✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Claude code plugin submission' is generic and does not clearly summarize the main change; it lacks specificity about what plugin is being submitted or what Desktop Commander provides.	Consider using a more specific title such as 'Add Desktop Commander plugin for Claude Code with MCP server integration' to better describe the actual changes.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude-code-plugin-submission

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

plugins/cursor/skills/desktop-commander-overview/SKILL.md (1)

56-57: The DOCX offset dual-purpose behavior is confirmed — offset=0 returns outline, offset>0 returns raw XML with pagination.

This is intentional design per the DocxFileHandler implementation (src/utils/files/docx.ts lines 515–565). The code is clear and the SKILL.md documentation accurately describes the behavior.

However, the pattern is genuinely unintuitive: getting XML from the document start requires offset=1 rather than offset=0, which inverts the typical meaning of offset for pagination. Consider adding a concrete example to SKILL.md showing this two-read workflow — first read_file(path="...report.docx") without offset to get the outline, then a specific example like read_file(path="...report.docx", offset=1, length=50) to retrieve the initial XML lines. This makes the mode-switching behavior explicit and reduces user confusion.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/cursor/skills/desktop-commander-overview/SKILL.md` around lines 56 -
57, Update SKILL.md to include a concrete two-read example demonstrating the
DocxFileHandler "offset" mode switch: show calling
read_file(path=".../report.docx") (offset defaults to 0) to return the outline,
then call read_file(path=".../report.docx", offset=1, length=50) to retrieve the
raw XML around the start of the document, and finally use edit_block(file_path,
old_string, new_string) to patch the XML; reference the DocxFileHandler behavior
(src/utils/files/docx.ts) and the read_file and edit_block symbols so readers
can locate the implementation and understand that offset>0 flips the read into
XML mode.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.claude-plugin/marketplace.json:
- Around line 3-6: The owner.email value in this manifest is inconsistent with
the other Claude plugin manifest; update the owner.email field in this file to
the canonical support address used by the other manifest (i.e., make owner.email
identical across both manifests) so that both manifests reference the same
support contact and run manifest validation to confirm the change.

In `@plugins/claude/.claude-plugin/plugin.json`:
- Line 21: Update the "skills" path in the Claude plugin manifest to point to
the actual skills directory: change the "skills" property value in plugin.json
from "./skills/" to "../skills/". Locate the "skills" key in
plugins/claude/.claude-plugin/plugin.json and replace the relative path so it
resolves to plugins/claude/skills/ instead of the non-existent
plugins/claude/.claude-plugin/skills/.
- Around line 24-25: Update the plugin.json args entry to pin the
desktop-commander package to a specific secure version instead of
"@wonderwhy-er/desktop-commander@latest" — e.g., change the string in the "args"
array to "@wonderwhy-er/desktop-commander@0.2.39" (or another vetted version) so
the "command": "npx" invocation installs a deterministic, non-vulnerable
release.

In `@plugins/cursor/.cursor-plugin/plugin.json`:
- Around line 37-38: Replace the dynamic install arg that uses
"@wonderwhy-er/desktop-commander@latest" in plugin.json (the "command"/"args"
entry) with a pinned version string "@wonderwhy-er/desktop-commander@0.2.39";
update the "args" array element accordingly so the installer is deterministic
and supply-chain risk is reduced, and commit the manifest change so the MCP
server install uses 0.2.39 instead of `@latest`.

---

Nitpick comments:
In `@plugins/cursor/skills/desktop-commander-overview/SKILL.md`:
- Around line 56-57: Update SKILL.md to include a concrete two-read example
demonstrating the DocxFileHandler "offset" mode switch: show calling
read_file(path=".../report.docx") (offset defaults to 0) to return the outline,
then call read_file(path=".../report.docx", offset=1, length=50) to retrieve the
raw XML around the start of the document, and finally use edit_block(file_path,
old_string, new_string) to patch the XML; reference the DocxFileHandler behavior
(src/utils/files/docx.ts) and the read_file and edit_block symbols so readers
can locate the implementation and understand that offset>0 flips the read into
XML mode.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 139073aa-0740-4a35-b59c-19e1f097250c

📥 Commits

Reviewing files that changed from the base of the PR and between 6be424c and 4a9ba60.

📒 Files selected for processing (9)

• .claude-plugin/marketplace.json
• .cursor-plugin/marketplace.json
• plugins/claude/.claude-plugin/plugin.json
• plugins/claude/README.md
• plugins/claude/skills/desktop-commander-overview/SKILL.md
• plugins/cursor/.cursor-plugin/plugin.json
• plugins/cursor/README.md
• plugins/cursor/rules/desktop-commander-default.mdc
• plugins/cursor/skills/desktop-commander-overview/SKILL.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python - <<'PY'
import json, os
manifest = "plugins/claude/.claude-plugin/plugin.json"
with open(manifest, "r", encoding="utf-8") as f:
    data = json.load(f)

base = os.path.dirname(manifest)
p = data.get("skills")
rel = os.path.normpath(os.path.join(base, p))
parent_rel = os.path.normpath(os.path.join(base, "..", p))
print(f"skills declared={p}")
print(f"exists_if_relative_to_manifest: {rel} -> {os.path.exists(rel)}")
print(f"exists_if_relative_to_plugin_root: {parent_rel} -> {os.path.exists(parent_rel)}")
PY

Repository: wonderwhy-er/DesktopCommanderMCP

Length of output: 245

---

Fix the skills path in Claude plugin manifest.

The path ./skills/ resolves to plugins/claude/.claude-plugin/skills/ (which does not exist). The actual skills directory is located at plugins/claude/skills/. Change the manifest entry to "../skills/" to correctly reference the skills directory.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/claude/.claude-plugin/plugin.json` at line 21, Update the "skills"
path in the Claude plugin manifest to point to the actual skills directory:
change the "skills" property value in plugin.json from "./skills/" to
"../skills/". Locate the "skills" key in
plugins/claude/.claude-plugin/plugin.json and replace the relative path so it
resolves to plugins/claude/skills/ instead of the non-existent
plugins/claude/.claude-plugin/skills/.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the latest stable published version of npm package "@wonderwhy-er/desktop-commander", and are there any advisories for recent versions?

💡 Result:

The latest stable published version of the npm package "@wonderwhy-er/desktop-commander" is 0.2.39, published on April 23, 2026. There are no official npm security advisories for recent versions. The GitHub repository states "There aren’t any published security advisories". Snyk reports vulnerabilities (command injection and symlink following) affecting versions <0.2.33, which recent versions (0.2.33+) fix. Older CVEs (CVE-2025-11489, CVE-2025-11490, CVE-2025-11491) affect up to 0.2.13. The project acknowledges known security limitations (bypassable restrictions) but prioritizes Docker for isolation over hardened security.

Citations:

• 1: https://registry.npmjs.org/%40wonderwhy-er%2Fdesktop-commander
• 2: https://www.npmjs.com/package/@wonderwhy-er/desktop-commander
• 3: https://www.npmjs.com/~wonderwhy-er
• 4: https://security.snyk.io/package/npm/%40wonderwhy-er%2Fdesktop-commander/0.2.8
• 5: https://github.com/wonderwhy-er/DesktopCommanderMCP/security
• 6: https://app.opencve.io/cve/?vendor=wonderwhy-er

---

Pin desktop-commander package version to improve security and ensure deterministic installations.

Using @latest installs unpredictable versions on each invocation. Versions prior to 0.2.33 contain known vulnerabilities (command injection and symlink following). Pin to 0.2.39 (the current stable release as of April 2026) or a tested version to prevent silent runtime behavior changes and avoid inadvertently installing vulnerable versions.

Suggested manifest change

-      "args": ["-y", "@wonderwhy-er/desktop-commander@latest"]
+      "args": ["-y", "@wonderwhy-er/desktop-commander@0.2.39"]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"command": "npx",
	"args": ["-y", "@wonderwhy-er/desktop-commander@latest"]
	"command": "npx",
	"args": ["-y", "@wonderwhy-er/desktop-commander@0.2.39"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/claude/.claude-plugin/plugin.json` around lines 24 - 25, Update the
plugin.json args entry to pin the desktop-commander package to a specific secure
version instead of "@wonderwhy-er/desktop-commander@latest" — e.g., change the
string in the "args" array to "@wonderwhy-er/desktop-commander@0.2.39" (or
another vetted version) so the "command": "npx" invocation installs a
deterministic, non-vulnerable release.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the latest stable published version of npm package "@wonderwhy-er/desktop-commander", and are there any advisories for recent versions?

💡 Result:

The latest stable published version of the npm package "@wonderwhy-er/desktop-commander" is 0.2.39, published on April 23, 2026. There are no active npm security advisories for recent versions (0.2.33 and above). Older versions (<0.2.33) had vulnerabilities including command injection and symlink following, fixed by upgrading to 0.2.33+. The GitHub security page states "There aren’t any published security advisories." Snyk lists issues only for old versions like 0.2.8. CVEs (CVE-2025-11489, CVE-2025-11490, CVE-2025-11491) affect versions up to 0.2.13. The project acknowledges known security limitations (bypassable restrictions) but recommends Docker for isolation; these are design choices, not active advisories for recent versions.

Citations:

• 1: https://registry.npmjs.org/%40wonderwhy-er%2Fdesktop-commander
• 2: https://www.npmjs.com/package/@wonderwhy-er/desktop-commander
• 3: https://security.snyk.io/package/npm/%40wonderwhy-er%2Fdesktop-commander/0.2.8
• 4: https://github.com/wonderwhy-er/DesktopCommanderMCP/security
• 5: https://app.opencve.io/cve/?vendor=wonderwhy-er

---

Pin an explicit version for the MCP server install command.

Using @latest makes plugin behavior non-reproducible and increases supply-chain risk. Pin version 0.2.39 (current latest, published April 23, 2026) and update intentionally when needed. Recent versions (0.2.33+) have no known security advisories.

Suggested manifest change

-      "args": ["-y", "@wonderwhy-er/desktop-commander@latest"]
+      "args": ["-y", "@wonderwhy-er/desktop-commander@0.2.39"]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"command": "npx",
	"args": ["-y", "@wonderwhy-er/desktop-commander@latest"]
	"command": "npx",
	"args": ["-y", "@wonderwhy-er/desktop-commander@0.2.39"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/cursor/.cursor-plugin/plugin.json` around lines 37 - 38, Replace the
dynamic install arg that uses "@wonderwhy-er/desktop-commander@latest" in
plugin.json (the "command"/"args" entry) with a pinned version string
"@wonderwhy-er/desktop-commander@0.2.39"; update the "args" array element
accordingly so the installer is deterministic and supply-chain risk is reduced,
and commit the manifest change so the MCP server install uses 0.2.39 instead of
`@latest`.

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR registers Desktop Commander as a Claude Code plugin and MCP server with an overview skill, enabling Claude to route terminal, filesystem, document, search, and SSH tasks to a local MCP server on the user's machine.

sequenceDiagram
    participant User
    participant ClaudeCode
    participant Plugin
    participant MCPServer
    participant LocalSystem

    User->>ClaudeCode: Ask for terminal or local file task
    ClaudeCode->>Plugin: Select desktop commander overview skill
    Plugin->>MCPServer: Configure and start MCP server command
    ClaudeCode->>MCPServer: Send tool request for shell or files
    MCPServer->>LocalSystem: Perform terminal and filesystem operations
    MCPServer-->>ClaudeCode: Return operation results
    ClaudeCode-->>User: Show results and follow up actions

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR wires a Claude Code plugin to start and use the Desktop Commander MCP server so Claude can run persistent shells, manage processes, access local files, and handle structured documents and SSH workflows.

sequenceDiagram
    participant User
    participant ClaudeCode as Claude Code
    participant Plugin as Desktop Commander plugin
    participant MCP as Desktop Commander MCP server
    participant System as Local system

    User->>ClaudeCode: Request terminal or file task
    ClaudeCode->>Plugin: Route task via Desktop Commander skill
    Plugin->>MCP: Start MCP server command with args
    MCP->>System: Run shell, file, document, or ssh operations
    MCP-->>Plugin: Return structured results
    Plugin-->>ClaudeCode: Provide task outcome
    ClaudeCode-->>User: Present results and next steps

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn