Claude Code Plugins From .zip and URLs: Distribution Just Got Frictionless
Week 19 of Claude Code (v2.1.128–v2.1.136) lets you load plugins directly from a .zip archive or a URL. Combined with worktree.baseRef and auto-mode hard-deny rules, distribution and safety took a step up together.
Until Week 19 of 2026, Claude Code plugins lived in directories. You cloned a repo, pointed --plugin-dir at it, and used what was there. Convenient for hacking, awkward for distributing. As of v2.1.128 and onward, you can load plugins from .zip archives and URLs in one command.
Combined with worktree.baseRef, auto-mode hard-deny rules, and effort-level visibility for hooks, Week 19 is a small release that quietly improves both ergonomics and safety.
Key Takeaways
--plugin-dirnow accepts.zipfiles in addition to directories.--plugin-url <URL>fetches a plugin archive for the current session, no local clone required.worktree.baseRefchooses whether new worktrees branch from the remote default or localHEAD.- Auto mode hard-deny rules block actions unconditionally, regardless of allow exceptions — the right primitive for permanent guardrails.
- Hooks can now see the active effort level via
effort.leveland the$CLAUDE_EFFORTenvironment variable. - The release window is v2.1.128 through v2.1.136, shipped May 4–8, 2026.
Why .zip and URL Loading Matters
The friction points with the old directory-only model:
- Sharing a plugin meant sharing a repo URL plus instructions to
git cloneand--plugin-dir. - Per-session plugins (e.g., a security-review plugin you want for one PR review) required permanent local state.
- CI pipelines had to clone plugin repos as part of their setup.
- Versioning was implicit (whatever was at HEAD).
.zip and URL loading remove all four. A plugin becomes a single artifact. You can publish it to S3, GitHub Releases, a private CDN, or anywhere a GET works.
# Load a zipped plugin from disk
claude --plugin-dir ./our-team-stack.zip
# Load a plugin from a URL for this session only
claude --plugin-url https://team.dev/plugins/security-review-v3.zip
# Load multiple plugins
claude --plugin-dir ./local-plugin.zip --plugin-url https://team.dev/plugins/onboarding.zip
The fetch is session-scoped by default. Restart Claude Code and the plugin is gone — exactly what you want for one-off use.
How the Archive Is Structured
A .zip plugin contains what a plugin directory would: plugin.json at the root, agents/, skills/, commands/, hooks/, and any supporting files. Claude Code extracts to a session-scoped temp directory and loads it like a normal plugin.
our-team-stack.zip
├── plugin.json
├── skills/
│ ├── deploy/
│ │ └── SKILL.md
│ └── lint-strict/
│ └── SKILL.md
├── commands/
│ └── ship.md
└── hooks/
└── pre-commit.json
Nothing about the plugin format itself changed. The packaging did.
Distribution Patterns That Suddenly Work
A few patterns that the change unlocks:
- Versioned plugin releases. Tag a release on GitHub, upload a
.zipto the release assets, share the URL. Users pin to a version explicitly. - Per-team starter packs. Engineering, support, and ops teams can each have a single URL that loads their team's full skill/command set.
- Time-boxed audits. A consultant or external reviewer gets a URL for the audit duration. Session ends, plugin disappears.
- CI-only plugins. Your CI pipeline loads a special plugin for that one CI job and nothing persists locally.
We expect ClawHub and similar plugin marketplaces to start publishing zipped artifacts as the primary distribution unit. The directory model continues to work; the archive model becomes the default.
Trust and Verification
Loading code from a URL deserves a note. Three things to keep in mind:
- Use HTTPS only. Claude Code requires it for
--plugin-url. - Plugin URLs run with your permissions. They are not sandboxed in any special way. Trust the source the same way you would
pip installfrom a URL. - Auto mode hard-deny rules complement this. See below.
OpenClaw's plugin artifact verification approach (signed artifacts, content hash checks) is what the broader ecosystem is moving toward. Claude Code does not enforce signing in v2.1.136, but the architecture is ready for it.
Auto Mode Hard-Deny Rules
A parallel Week 19 change: auto-mode (the classifier that handles permission prompts) now supports hard-deny rules. These block actions unconditionally, regardless of any allow exceptions.
{
"auto": {
"hardDeny": [
"Bash(rm -rf /*)",
"Bash(git push --force origin main)",
"Bash(curl * | sh)"
]
}
}
A hard-deny rule wins over any allow. Even if a plugin's hook tries to authorize an action, hard-deny refuses it.
This is the right primitive for guardrails you genuinely never want crossed — destructive shell commands, secret leakage paths, anything where the cost of allowing it once is too high.
worktree.baseRef
A small but useful change for teams that run worktree-heavy workflows. New worktrees can now branch from either the remote default (e.g., origin/main) or the local HEAD.
{
"worktree": {
"baseRef": "origin/main" // or "HEAD"
}
}
Most teams should set this to origin/main to ensure new worktrees start from a clean shared base. Solo developers may prefer HEAD to branch from whatever they were just working on.
Hooks See Effort Level
The last Week 19 ergonomic improvement: hooks can read the active effort level.
# In a hook script
if [ "$CLAUDE_EFFORT" = "xhigh" ]; then
echo "Running extended verification for xhigh effort..."
./run-full-test-suite.sh
fi
Or in JSON-defined hooks, the effort.level field is exposed in the hook context. This lets hooks scale their behaviour to the user's stated effort — e.g., run more tests at higher effort, run faster checks at low.
This pairs naturally with the Claude Opus 4.7 and xhigh effort changes from Week 16.
Practical Migration Tips
If you maintain or distribute Claude Code plugins, three actions for this week:
- Add a release-zip build step. A simple GitHub Action that zips your plugin directory and uploads to the release works. Users get a stable URL per version.
- Document a URL-based install. Tell users
claude --plugin-url <release-url>instead ofgit clone + --plugin-dir. - Audit your hard-deny rules. Anything you would not want a misbehaving plugin to do should be in
hardDeny, not relying on the auto classifier to spot.
Bringing It Back Together
Plugin distribution went from "clone this repo and set a flag" to "paste this URL." That sounds small. In practice it is the difference between a plugin ecosystem that engineers can casually try and one that requires a setup ritual. Combined with hard-deny rules and effort-aware hooks, Week 19 is a quiet upgrade that pays off every time you onboard a new tool.
For where this fits in the broader 2026 agent story, see OpenClaw vs Hermes vs Claude Code.
Sources
- Claude Code "What's New" — https://code.claude.com/docs/en/whats-new
- Claude Code Week 19 digest — https://code.claude.com/docs/en/whats-new/2026-w19
- Claude Code releases — https://github.com/anthropics/claude-code/releases
- Related: Claude Opus 4.7 in Claude Code
- Related: Claude Code /ultrareview Public Preview
- Related: Claude Code Plugin Development