vskill 0.2.10 → 0.2.12

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Anton Abyzov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,226 +1,259 @@
-# vskill
+<h1 align="center">vskill</h1>
 
-**Secure multi-platform AI skill installer.** Scan before you install.
+<p align="center">
+  <strong>The package manager for AI skills.</strong><br/>
+  Scan. Verify. Install. Across 49 agent platforms.
+</p>
+
+<p align="center">
+  <a href="https://www.npmjs.com/package/vskill"><img src="https://img.shields.io/npm/v/vskill?color=cb3837&logo=npm" alt="npm" /></a>
+  <a href="https://www.npmjs.com/package/vskill"><img src="https://img.shields.io/npm/dw/vskill?color=cb3837&logo=npm&label=downloads" alt="downloads" /></a>
+  <img src="https://img.shields.io/badge/agents-49_platforms-0969DA" alt="49 agents" />
+  <img src="https://img.shields.io/badge/plugins-12-8B5CF6" alt="12 plugins" />
+  <img src="https://img.shields.io/badge/skills-41-10B981" alt="41 skills" />
+  <a href="https://verified-skill.com"><img src="https://img.shields.io/badge/registry-verified--skill.com-F59E0B" alt="registry" /></a>
+  <img src="https://img.shields.io/badge/license-MIT-green" alt="MIT" />
+</p>
+
+<br/>
 
 ```bash
-npx vskill install remotion-dev/skills                           # all skills from a repo
-npx vskill install remotion-dev/skills/remotion-best-practices   # specific skill (3-part)
-npx vskill install remotion-best-practices                       # registry lookup
+npx vskill install remotion-best-practices
 ```
 
-## Claude Code Plugin Marketplace
+<br/>
 
-This repo is a **Claude Code plugin marketplace** — 75 expert skills across 15 domain plugins for frontend, backend, infra, ML, mobile, testing, and more. Install only the plugins you need.
+## The Problem
 
-### Install
+**36.82% of AI skills have security flaws** ([Snyk ToxicSkills](https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/)).
 
-```bash
-# Install a specific plugin (recommended)
-npx vskill install --repo anton-abyzov/vskill --plugin frontend
+When you install a skill today, you're trusting blindly:
 
-# Install multiple plugins
-npx vskill install --repo anton-abyzov/vskill --plugin backend
-npx vskill install --repo anton-abyzov/vskill --plugin testing
+- **No scanning** — malicious prompts execute with full system access
+- **No versioning** — silent updates can inject anything, anytime
+- **No deduplication** — the same skill lives in 3 repos, all diverging
+- **No blocklist** — known-bad skills install just fine
 
-# From a local clone
-git clone https://github.com/anton-abyzov/vskill.git
-npx vskill install --plugin-dir ./vskill --plugin frontend
-```
+vskill fixes all of this.
 
-### Prefix
+<br/>
 
-Each plugin has its own namespace. Skills are invoked as `plugin:skill`:
+## How It Works
 
 ```
-/frontend:nextjs
-/backend:nodejs
-/ml:rag
-/testing:e2e
-/skills:scout
+  ┌──────────┐     ┌──────────┐     ┌──────────┐     ┌──────────┐
+  │  Source   │────>│   Scan   │────>│  Verify  │────>│ Install  │
+  │          │     │          │     │          │     │          │
+  │ GitHub   │     │ 38 rules │     │ LLM      │     │ Pin SHA  │
+  │ Registry │     │ Blocklist│     │ analysis │     │ Lock ver │
+  │ Local    │     │ Patterns │     │ Intent   │     │ Symlink  │
+  └──────────┘     └──────────┘     └──────────┘     └──────────┘
 ```
 
-When installed as **standalone skills** (without the plugin), no prefix:
+Every install goes through the security pipeline. No exceptions. No `--skip-scan`.
 
-```
-/nextjs
-/nodejs
-/rag
+<br/>
+
+## Quick Start
+
+```bash
+# Install from any GitHub repo
+npx vskill install remotion-dev/skills/remotion-best-practices
+
+# Install by name (registry lookup)
+npx vskill install remotion-best-practices
+
+# Browse a repo and pick interactively
+npx vskill install remotion-dev/skills
+
+# Install a plugin (Claude Code)
+npx vskill install --repo anton-abyzov/vskill --plugin frontend
 ```
 
-### Plugins (15) & Skills (75)
+Or install globally: `npm install -g vskill`
 
-| Plugin | Skills |
-|--------|--------|
-| frontend | `frontend-core`, `architect`, `design`, `design-system`, `nextjs`, `figma`, `code-explorer`, `i18n` |
-| backend | `nodejs`, `python`, `dotnet`, `go`, `rust`, `java-spring`, `graphql`, `db-optimizer` |
-| infra | `terraform`, `aws`, `azure`, `gcp`, `github-actions`, `devops`, `devsecops`, `secrets`, `observability`, `opentelemetry` |
-| mobile | `react-native`, `expo`, `flutter`, `swiftui`, `jetpack`, `capacitor`, `deep-linking`, `testing`, `appstore` |
-| ml | `engineer`, `mlops`, `data-scientist`, `fine-tuning`, `rag`, `langchain`, `huggingface`, `edge`, `specialist` |
-| testing | `unit`, `e2e`, `performance`, `accessibility`, `mutation`, `qa` |
-| k8s | `manifests`, `helm`, `gitops`, `security` |
-| payments | `payment-core`, `billing`, `pci` |
-| cost | `cloud-pricing`, `optimization`, `aws` |
-| kafka | `architect`, `ops`, `streams-topology`, `n8n` |
-| confluent | `kafka-connect`, `ksqldb`, `schema-registry` |
-| docs | `docusaurus`, `technical-writing`, `brainstorming` |
-| security | `security-core`, `patterns`, `simplifier` |
-| skills | `scout` |
-| blockchain | `blockchain-core` |
+<br/>
 
-## Why?
+## Three-Tier Verification
 
-- **36.82% of AI skills have security flaws** ([Snyk ToxicSkills](https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/))
-- Zero versioning on major platforms — updates can inject malware silently
-- No pre-install scanning — you're trusting blindly
+| Tier | How | Trust Level |
+|:-----|:----|:------------|
+| **Scanned** | 38 deterministic pattern checks against known attack vectors | Baseline |
+| **Verified** | Pattern scan + LLM-based intent analysis for subtle threats | Recommended |
+| **Certified** | Full manual security review by the vskill team | Highest |
 
-vskill fixes this with **three-tier verification** and **version-pinned trust**.
+Every install is at minimum **Scanned**. The `vskill.lock` file tracks the SHA-256 hash, scan date, and tier for every installed skill. Running `vskill update` diffs against the locked version and re-scans before applying.
 
-## Install Formats
+<br/>
 
-### 1. All skills from a repo
+## 49 Agent Platforms
 
-```bash
-vskill install remotion-dev/skills
-```
+vskill auto-detects your installed agents and installs skills to all of them at once.
 
-Discovers all SKILL.md files in the repo via GitHub Trees API. You'll be prompted to select which skills to install.
+**CLI & Terminal** — Claude Code, Cursor, GitHub Copilot, Windsurf, Codex, Gemini CLI, Amp, Cline, Roo Code, Goose, Aider, Kilo, Devin, OpenHands, Qwen Code, Trae, and more
 
-### 2. Specific skill (3-part format)
+**IDE Extensions** — VS Code, JetBrains, Zed, Neovim, Emacs, Sublime Text, Xcode
 
-```bash
-vskill install remotion-dev/skills/remotion-best-practices
-```
+**Cloud & Hosted** — Replit, Bolt, v0, GPT Pilot, Plandex, Sweep
 
-Installs a single skill directly. The path maps to `owner/repo/skill-name`, where `skill-name` is the directory containing `SKILL.md`.
+<br/>
 
-### 3. Specific skill (flag format)
+## Plugin Marketplace
+
+vskill ships **41 expert skills** organized into **12 domain plugins**. Each plugin has its own namespace — install only what you need.
 
 ```bash
-vskill install remotion-dev/skills --skill remotion-best-practices
+npx vskill install --repo anton-abyzov/vskill --plugin frontend
+npx vskill install --repo anton-abyzov/vskill --plugin infra
 ```
 
-Equivalent to the 3-part format above.
-
-### 4. Registry lookup
+Then invoke as `/plugin:skill` in your agent:
 
-```bash
-vskill install remotion-best-practices
+```
+/frontend:nextjs     /infra:aws        /mobile:flutter
+/ml:rag              /testing:mutation  /security:patterns
 ```
 
-Looks up the skill in the [verified-skill.com](https://verified-skill.com) registry and installs from the mapped source repo.
+### Available Plugins
 
-### 5. Local plugin
+<table>
+<tr>
+<td width="50%" valign="top">
 
-```bash
-vskill install . --plugin-dir . --plugin frontend
-```
+**frontend** — React 19, Next.js, Figma, i18n, design systems
+- `frontend-core` `design` `figma` `i18n` `nextjs`
 
-Installs a plugin from a local directory containing `.claude-plugin/marketplace.json`. The `--plugin` flag selects which sub-plugin to install.
+**backend** — Java Spring Boot, Rust
+- `java-spring` `rust`
 
-### 6. Remote plugin
+**infra** — AWS, Azure, GCP, CI/CD, secrets, observability
+- `aws` `azure` `gcp` `github-actions` `devsecops` `opentelemetry` `secrets`
 
-```bash
-vskill install . --repo anton-abyzov/vskill --plugin frontend
-```
+**mobile** — React Native, Flutter, SwiftUI, Jetpack, app store
+- `react-native` `expo` `flutter` `swiftui` `jetpack` `capacitor` `deep-linking` `testing` `appstore`
+
+**ml** — RAG, LangChain, Hugging Face, fine-tuning, edge ML
+- `rag` `langchain` `huggingface` `fine-tuning` `edge`
+
+**testing** — Performance, accessibility, mutation testing
+- `performance` `accessibility` `mutation`
+
+</td>
+<td width="50%" valign="top">
 
-Clones a GitHub repo and installs a plugin from it. Combines `--repo` with `--plugin` to target a specific sub-plugin.
+**kafka** — Kafka Streams, n8n workflows
+- `streams-topology` `n8n`
 
-> Replace `vskill` with `npx vskill`, `bunx vskill`, `pnpx vskill`, or `yarn dlx vskill` if not installed globally.
+**confluent** — Kafka Connect, ksqlDB, Schema Registry
+- `kafka-connect` `ksqldb` `schema-registry`
 
-## Interactive Prompts
+**payments** — Billing, subscriptions, PCI compliance
+- `billing` `pci`
 
-When run in a terminal, vskill prompts you interactively:
+**security** — Vulnerability pattern detection
+- `patterns`
 
-- **Agent selection** — checkboxes for detected AI agents (pre-checked). Supports 49 agents with scrolling viewport.
-- **Scope** — Project (`./<agent>/commands/`) or Global (`~/.<agent>/commands/`)
-- **Method** — Symlink (default, saves disk) or Copy (for agents that need it)
-- **Skill selection** — when a repo has multiple skills, pick which ones to install
-- **Claude Code native plugin** — when installing a plugin with Claude Code detected, choose native plugin install (recommended) or skill extraction
+**blockchain** — Solidity, Foundry, smart contracts
+- `blockchain-core`
 
-All prompts can be skipped with `--yes` (accept defaults) or controlled via flags (`--global`, `--copy`, `--agent`).
+**skills** — Skill discovery and recommendations
+- `scout`
+
+</td>
+</tr>
+</table>
+
+<br/>
 
 ## Commands
 
-| Command | Description |
-|---------|-------------|
-| `install <source>` | Install skill after security scan (aliases: `add`, `i`) |
-| `find <query>` | Search the registry (alias: `search`) |
-| `scan <path>` | Scan without installing |
-| `list` | Show installed skills with status |
-| `remove <skill>` | Remove an installed skill |
-| `update [skill]` | Update with diff scanning |
-| `submit <source>` | Submit for verification |
-| `audit [path]` | Security audit with LLM analysis |
-| `info <skill>` | Show skill details |
-| `blocklist` | Manage blocked skills |
-| `init` | Initialize vskill in a project |
-
-### Install flags
+```
+vskill install <source>     Install skill after security scan
+vskill find <query>         Search the verified-skill.com registry
+vskill scan <path>          Run security scan without installing
+vskill list                 Show installed skills with status
+vskill remove <skill>       Remove an installed skill
+vskill update [skill]       Update with diff scanning (--all for everything)
+vskill audit [path]         Full project security audit with LLM analysis
+vskill info <skill>         Show detailed skill information
+vskill submit <source>      Submit a skill for verification
+vskill blocklist            Manage blocked malicious skills
+vskill init                 Initialize vskill in a project
+```
+
+<details>
+<summary><strong>Install flags</strong></summary>
 
 | Flag | Description |
-|------|-------------|
-| `--yes` / `-y` | Accept all defaults, no prompts |
-| `--global` / `-g` | Install to global scope |
+|:-----|:------------|
+| `--yes` `-y` | Accept defaults, no prompts |
+| `--global` `-g` | Install to global scope |
 | `--copy` | Copy files instead of symlinking |
-| `--skill <name>` | Select a specific skill from a multi-skill repo |
-| `--plugin <name>` | Select a sub-plugin from a plugin repo |
-| `--plugin-dir <path>` | Use a local directory as plugin source |
-| `--repo <owner/repo>` | Use a remote GitHub repo as plugin source |
-| `--agent <id>` | Target a specific agent (e.g., `--agent cursor`) |
+| `--skill <name>` | Pick a specific skill from a multi-skill repo |
+| `--plugin <name>` | Pick a plugin from a marketplace repo |
+| `--plugin-dir <path>` | Local directory as plugin source |
+| `--repo <owner/repo>` | Remote GitHub repo as plugin source |
+| `--agent <id>` | Target a specific agent (e.g., `cursor`) |
 | `--force` | Install even if blocklisted |
-| `--cwd <path>` | Override project root directory |
+| `--cwd <path>` | Override project root |
+| `--all` | Install all skills from a repo |
 
-## Skills vs Plugins
+</details>
 
-**Skills** are single SKILL.md files that work with any AI agent. They follow the [Agent Skills Standard](https://agentskills.io) — a SKILL.md file is placed in the agent's commands directory (e.g., `.claude/commands/`, `.cursor/commands/`).
+<br/>
 
-**Plugins** are multi-component containers exclusive to Claude Code. A plugin repo has `.claude-plugin/marketplace.json` listing sub-plugins, each containing skills, hooks, commands, and agents. Plugins enable `plugin-name:skill-name` namespacing, enable/disable support, and marketplace integration.
+## Security Audit
 
-## The Skills Duplication Problem
+Scan entire projects for security issues — not just skills:
 
-The skills ecosystem is already fragmented. Skills can be defined in different repos, published through different channels, and there's no single source of truth.
+```bash
+vskill audit                              # scan current directory
+vskill audit --ci --report sarif          # CI-friendly SARIF output
+vskill audit --severity high,critical     # filter by severity
+```
 
-Even Anthropic has the same skill defined in two different places:
+<br/>
 
-- **As a standalone skill**: [`anthropics/skills`](https://github.com/anthropics/skills/blob/main/skills/frontend-design/SKILL.md)
-- **Inside a plugin**: [`anthropics/claude-code`](https://github.com/anthropics/claude-code/blob/main/plugins/frontend-design/skills/frontend-design/SKILL.md)
+## Skills vs Plugins
 
-Same `frontend-design` skill, two repos. One is used by installing it as a standalone skill, the other comes bundled in a plugin. If you install both, you get duplicates. If they diverge, you get inconsistencies.
+**Skills** are single `SKILL.md` files that work with any of the 49 supported agents. They follow the [Agent Skills Standard](https://agentskills.io) — drop a `SKILL.md` into the agent's commands directory.
 
-This is one of the reasons vskill exists — to give you a single install path with version pinning and deduplication, regardless of where the skill is published.
+**Plugins** are multi-component containers for Claude Code. They bundle skills, hooks, commands, and agents under a single namespace with enable/disable support and marketplace integration.
 
-## Claude Code Native Plugin Install
+<br/>
 
-When vskill detects a plugin repo and Claude Code is among your selected agents, it offers **native plugin install**:
+## Why Deduplication Matters
 
-1. vskill runs its security scan first (always)
-2. Registers the plugin directory as a marketplace: `claude plugin marketplace add <path>`
-3. Installs the plugin natively: `claude plugin install <plugin>@<marketplace>`
+Even Anthropic ships the same skill in two places:
 
-**Benefits**: `marketplace:plugin-name` namespacing, `claude plugin enable/disable`, marketplace management.
+- [`anthropics/skills/frontend-design`](https://github.com/anthropics/skills/blob/main/skills/frontend-design/SKILL.md) (standalone)
+- [`anthropics/claude-code/.../frontend-design`](https://github.com/anthropics/claude-code/blob/main/plugins/frontend-design/skills/frontend-design/SKILL.md) (plugin)
 
-Native install is available for local plugins (`--plugin-dir`) only. Remote plugins (`--repo`) fall back to skill extraction. Use `--copy` to skip native install and extract skills individually.
+Install both? Duplicates. They diverge? Inconsistencies. vskill gives you one install path with version pinning and dedup, regardless of source.
 
-## 49 Agent Platforms
+<br/>
 
-Works across Claude Code, Cursor, GitHub Copilot, Windsurf, Codex, Gemini CLI, Cline, Amp, Roo Code, and 40 more — including universal agents (VS Code, JetBrains, Zed, Neovim, Emacs, Sublime Text, Xcode).
+## Registry
 
-## Three-Tier Verification
+Browse and search verified skills at **[verified-skill.com](https://verified-skill.com)**.
 
-| Tier | Method | Badge |
-|------|--------|-------|
-| **Scanned** | 38 deterministic pattern checks | Basic Trust |
-| **Verified** | Scanner + LLM intent analysis | Recommended |
-| **Certified** | Full manual security review | Highest Trust |
+```bash
+vskill find "react native"          # search from CLI
+vskill info remotion-best-practices # skill details
+```
 
-## Version Pinning
+<br/>
 
-Every install creates a `vskill.lock` with SHA, scan date, and tier. Updates run diff scanning — new patterns flagged before install.
+## Contributing
 
-## Registry
+Submit your skill for verification:
+
+```bash
+vskill submit your-org/your-repo/your-skill
+```
 
-Browse verified skills at [verified-skill.com](https://verified-skill.com).
+<br/>
 
 ## License
 
-MIT
+[MIT](LICENSE)

package/dist/commands/add.js

@@ -1,7 +1,7 @@
 // ---------------------------------------------------------------------------
 // vskill install -- install a skill from GitHub or local plugin directory
 // ---------------------------------------------------------------------------
-import { mkdirSync, mkdtempSync, writeFileSync, readFileSync, existsSync, copyFileSync, statSync, chmodSync, readdirSync, rmSync, } from "node:fs";
+import { mkdirSync, writeFileSync, readFileSync, existsSync, copyFileSync, statSync, chmodSync, readdirSync, rmSync, } from "node:fs";
 import { join, resolve, basename } from "node:path";
 import { createHash } from "node:crypto";
 import { execSync } from "node:child_process";
@@ -159,12 +159,29 @@ async function installMarketplaceRepo(owner, repo, manifestContent, opts, preSel
             console.log(dim(`Auto-selecting all ${plugins.length} plugins (--yes/--all)`));
         }
     }
+    else if (plugins.length === 1) {
+        // Single plugin — skip multi-select, just proceed
+        const p = plugins[0];
+        const isInstalled = installedSet.has(p.name);
+        if (isInstalled) {
+            const prompter = createPrompter();
+            const reinstall = await prompter.promptConfirm(`${bold(p.name)} is already installed. Reinstall?`, true);
+            if (!reinstall) {
+                console.log(dim("Aborted."));
+                return;
+            }
+        }
+        else {
+            console.log(`  ${green("+")} ${bold(p.name)}${p.description ? dim(` — ${p.description}`) : ""}`);
+        }
+        selectedPlugins = plugins;
+    }
     else {
         const prompter = createPrompter();
         const indices = await prompter.promptCheckboxList(plugins.map((p) => ({
             label: p.name + (installedSet.has(p.name) ? dim(" (installed)") : ""),
             description: p.description,
-            checked: preSelected ? preSelected.includes(p.name) : false,
+            checked: preSelected ? preSelected.includes(p.name) : installedSet.has(p.name),
         })), { title: "Select plugins to install" });
         if (indices.length === 0) {
             console.log(dim("No plugins selected. Aborting."));
@@ -174,26 +191,16 @@ async function installMarketplaceRepo(owner, repo, manifestContent, opts, preSel
     }
     // Attempt native Claude Code install
     const hasClaude = !opts.copy && isClaudeCliAvailable();
-    let tmpDir = null;
     let marketplaceRegistered = false;
     if (hasClaude) {
-        // Shallow clone for native install
-        const cloneSpin = spinner(`Cloning ${owner}/${repo}`);
-        try {
-            tmpDir = mkdtempSync(join(os.tmpdir(), "vskill-marketplace-"));
-            execSync(`git clone --depth 1 https://github.com/${owner}/${repo}.git "${tmpDir}"`, { stdio: "ignore", timeout: 60_000 });
-            cloneSpin.stop();
-            // Register marketplace
-            const regSpin = spinner("Registering marketplace with Claude Code");
-            marketplaceRegistered = registerMarketplace(tmpDir);
-            regSpin.stop();
-            if (!marketplaceRegistered) {
-                console.log(yellow("  Failed to register marketplace — will use extraction fallback."));
-            }
-        }
-        catch {
-            cloneSpin.stop();
-            console.log(yellow("  Clone failed — will use extraction fallback."));
+        // Register marketplace via git URL — Claude Code clones to its own
+        // persistent location, avoiding the stale-temp-dir bug.
+        const gitUrl = `https://github.com/${owner}/${repo}`;
+        const regSpin = spinner("Registering marketplace with Claude Code");
+        marketplaceRegistered = registerMarketplace(gitUrl);
+        regSpin.stop();
+        if (!marketplaceRegistered) {
+            console.log(yellow("  Failed to register marketplace — will use extraction fallback."));
         }
     }
     // Install each plugin
@@ -232,13 +239,6 @@ async function installMarketplaceRepo(owner, repo, manifestContent, opts, preSel
             }
         }
     }
-    // Cleanup temp directory
-    if (tmpDir) {
-        try {
-            rmSync(tmpDir, { recursive: true, force: true });
-        }
-        catch { /* ignore */ }
-    }
     // Update lockfile
     const lockForWrite = ensureLockfile(lockDir);
     for (const r of results) {
@@ -354,7 +354,7 @@ function cleanPluginCache(pluginName, marketplace) {
  * - --copy flag is NOT set
  * - User opts in (interactive prompt) OR --yes flag is set
  */
-async function tryNativeClaudeInstall(marketplacePath, marketplaceContent, pluginName, opts) {
+async function tryNativeClaudeInstall(marketplacePath, marketplaceContent, pluginName, opts, gitUrl) {
     if (opts.copy)
         return false;
     if (!isClaudeCliAvailable())
@@ -372,9 +372,10 @@ async function tryNativeClaudeInstall(marketplacePath, marketplaceContent, plugi
         if (choice !== 0)
             return false;
     }
-    // Register marketplace
+    // Register marketplace — prefer git URL (persistent) over local path
+    // (which may be a temp dir that gets deleted after install).
     const regSpin = spinner("Registering marketplace with Claude Code");
-    const registered = registerMarketplace(marketplacePath);
+    const registered = registerMarketplace(gitUrl || marketplacePath);
     if (!registered) {
         regSpin.stop();
         console.log(yellow("  Failed to register marketplace — falling back to extraction."));
@@ -725,7 +726,15 @@ async function installPluginDir(basePath, pluginName, opts) {
     const hasClaude = selectedAgents.some((a) => a.id === "claude-code");
     let claudeNativeSuccess = false;
     if (hasClaude) {
-        claudeNativeSuccess = await tryNativeClaudeInstall(resolve(basePath), mktContent, pluginName, opts);
+        // Try to extract git remote URL for persistent marketplace registration.
+        // Falls back to the local path if the dir is not a git repo.
+        let gitUrl;
+        try {
+            gitUrl = execSync("git remote get-url origin", { cwd: resolve(basePath), stdio: ["pipe", "pipe", "ignore"], timeout: 5_000 })
+                .toString().trim() || undefined;
+        }
+        catch { /* not a git repo or no remote — use local path */ }
+        claudeNativeSuccess = await tryNativeClaudeInstall(resolve(basePath), mktContent, pluginName, opts, gitUrl);
     }
     // Filter Claude Code out of extraction if native install succeeded
     const extractionAgents = claudeNativeSuccess