Lesson 7.2 — Evaluating and Using Existing Extensions

Off-the-shelf first, and the four reasons to build CORE

The default posture a Module 7 student should hold — and, more importantly, should keep holding through Lesson 7.5 — is: if a working off-the-shelf extension does the job I need, I install it rather than write my own.

There are four reasons this is the right default, even in a course whose job is teaching you to author extensions:

Authoring has compounding maintenance cost. Every custom skill you write is a line item on a list you will later have to keep current. Descriptions drift. Underlying models change. Tooling changes. If the off-the-shelf option exists and is maintained, someone else absorbs that cost on your behalf.
Off-the-shelf options often beat your first draft on description-tuning. A well-written third-party skill has had many triggers tested and refined by the author. Your first skill is, almost by definition, undertuned. In Lesson 7.3 you will learn why this matters; for now, trust that a good community skill is usually a more reliable tool than a good first-effort custom one.
Evaluation skill is itself the Module 7 capability you need longest. You will evaluate dozens of off-the-shelf extensions across your life. You will author, at most, a handful. The higher-leverage skill is knowing how to tell a good extension from a bad one at install time — the audit you learn this lesson.
The register does not care where a row came from. A row in the register owes its keep-or-retire decision to the same questions whether you authored the extension or installed it. Investing in audit discipline pays off on both sides of the register.

Against all of that, there are exactly four conditions under which you should author your own. The off-the-shelf-first heuristic flips — and only then — when any of the following is true:

No off-the-shelf option exists for the shape you care about. You searched, you asked, and nothing does what you need. (This is rarer than students expect.)
Every available off-the-shelf option fails the audit. The five audit questions (below) cannot all be answered satisfactorily, or they are answered in ways that violate the Module 6 rule.
Your need is materially more specific than the generic versions. The available extensions are aimed at a broader audience, and your workflow depends on a specificity the generic versions cannot match without authoring the thin layer yourself.
You are building it for pedagogical reasons. Lesson 7.3 is this reason — you will author a skill even if an off-the-shelf option would do, because the authoring itself is the learning objective. Outside the course, this is not usually a reason to build.

If none of the four conditions applies, install, do not author. A student who reflexively authors when an off-the-shelf option would serve is a student who will have twenty-five skills in nine months, twelve of them half-finished.

The minimum viable audit: five questions CORE

Before any extension enters the register — installed or declined — you run the audit. The five questions are deliberately plain. They exist to force you to consult the documentation, the manifest, and the source rather than inferring from the name or the reviews.

Q1 — What does it do? A one- or two-sentence description of the job the extension is meant to perform. Write it in your own words, not copy-pasted from the marketing blurb. If you cannot write it in your own words after reading the documentation, the documentation is too vague or the extension tries to do too many things. Either is a reason to be suspicious.

Q2 — What tools does it grant the agent? An extension is installed to make the agent more capable. Every new capability is a new thing the agent can do without asking you. Read the manifest and the permission list. Write down the tool set in plain language: “this skill grants the agent the ability to read the user’s calendar and create draft events; it does not grant send, post, or auto-accept capabilities.” If the manifest does not enumerate tools, treat that as the same red flag you would treat from a browser extension that cannot tell you what sites it runs on.

Q3 — What data can it read? Read is not the same as write. An extension that reads your entire Gmail archive but never sends is a privacy question, not a safety question. An extension that reads your entire local filesystem is a privacy and credential question because API keys often live in files. Name the data sources plainly: “local folder ~/projects/,” “Gmail labels agent-access and inbox,” “any page the user visits in Chrome.” If the data scope is “unbounded” or “whatever the user grants in session,” treat that as a flag to install more narrowly if the tool supports scoping, or to decline if it does not.

Q4 — What can it send, post, or write? This is the Module 6 audience question applied to install-time. An extension that drafts is in scope. An extension that sends email, posts to channels, RSVPs to events, or otherwise puts text in front of a second human is where the module expects friction. Three acceptable answers:

“It only drafts and writes to files I control.” Install.
“It can send, but has a drafts-only mode I can enable.” Install with drafts-only. Record the setting in the register.
“It can send and cannot be limited to drafts.” Decline or document a conscious override (below) with a short review date.

There is no acceptable fourth answer. An extension that auto-sends without a mode you can configure and that you install anyway — without documenting why — is the carve-out the module refuses to allow. You are not banned from ever installing such an extension in real life; you are banned from installing one without writing down, in the register, that you are consciously doing it.

Q5 — How does it handle credentials? Credentials are the quiet failure surface of the extension layer. The question has three parts:

Where are the credentials stored? An OS-level keychain / keyring is good. A .env file in the home directory is tolerable if you know it is there. A field in a config file readable by any process is bad.
What is their scope? A token granted for “read Calendar” is different from a token granted for “read, write, delete, share Calendar.” Prefer least-privilege tokens. Most OAuth providers let you see the requested scopes at grant time; read them.
Are they shared across extensions? A plugin that reuses the same OAuth grant another plugin is already using saves the student a click but creates a wider-blast-radius credential. Prefer per-extension credentials where the tool allows it.

If the documentation does not answer the credential question, ask it directly of the author (many extensions have a support channel) or open the source and find the auth section. If neither is possible, decline.

Audit answers live in the register

Every answer you produced in Q1–Q5 goes into the relevant register row in the audit block. This matters for two reasons. First, future-you will re-audit this extension in 90 days and will want the starting point. Second, if a new version of the extension changes any of the five answers, you have a baseline to diff against. “The audit answers used to be these; now they are these; that is a permission-expansion I did not approve” is the exact thought the register is designed to surface.

Reading a manifest, a description, and a changelog CORE

All three artifacts live in the extension. All three are short. All three are read by students who know what they are looking for and skipped by students who do not. Three signals each.

The manifest. (In Cowork plugins, the file at the root that names the plugin; in a Claude Code skill, the SKILL.md frontmatter; in an MCP connector, the server’s config.)

Is the version number current? A plugin whose manifest says v0.1 and whose last commit is eight months old is not abandoned per se, but it is not maintained either. Add a “likely stale” note to the register and reduce the next-review date.
Are tools and permissions enumerated? If the manifest lists what the extension can do, it has thought about it. If the manifest says nothing about tools and the extension still runs, the author is offloading that thought to you.
Is the author identifiable? A named author with a contact surface (GitHub, website, support email) is a better counterparty than anonymous. Anonymous can still be fine — many open-source projects are anonymous — but it changes the risk budget for what you install.

The description. The field the agent reads to decide whether to trigger the skill. Read it as the agent would:

Is it specific about inputs and outputs? “Summarizes long documents” is vague. “Summarizes documents longer than 2,000 words into a 5-bullet executive summary with a key-quote callout” is specific. The second one is more likely to fire reliably and less likely to misfire.
Does it list triggering phrases? A good description often names the phrases the agent should listen for: “Use when the user asks for a research sweep, source triangulation, or competitive landscape.” This is the author telling you — and the model — exactly when this skill is the right tool.
Is it honest about what it does not do? The best skill descriptions include a short exclusion: “Do not use for informal summaries, single-article reads, or conversational chitchat.” If the description overclaims — “handles all research needs” — expect misfires.

The changelog. The history of what the extension has done over time:

Is it current? A changelog that stops in 2024 is a tell.
Do changes enlarge or narrow the permission surface? A changelog entry that adds a new outbound capability between versions is an important thing to notice. If you approved v1.2 on the basis of an audit, v1.5 may not merit the same approval; the changelog is how you find out.
Does the author respond to issues? A changelog that shows quick turnaround on bugs — even bugs the author did not introduce — is a signal of care. A changelog with nothing but feature bumps and no bug fixes is unusual (every non-trivial extension has bugs) and worth noticing.

The outbound decision matrix CORE

Many off-the-shelf extensions offer outbound capabilities. This is not a flaw of the ecosystem; outbound is genuinely useful, and many responsible authors build it. The Module 7 posture on outbound, carried forward from Module 6, is a five-way decision:

Option A — Install with a clean audit. The extension only drafts, writes to files you control, or delivers to you. No outbound. No decision to make. Install.

Option B — Install with drafts-only mode enabled. The extension could send, but has a mode you can set at install time that limits it to drafting. Record the setting in the register (“installed with send_enabled: false”). Revisit the setting in the hygiene ritual — a later version might silently change the default.

Option C — Install with send disabled via platform. The extension does not support a drafts-only mode, but the platform does — the underlying email provider, calendar system, or similar has a permission scope that lets you grant read-and-draft without send. Prefer this to Option D. Record the scope you granted.

Option D — Decline. The extension cannot be narrowed to drafts-only at any layer — extension or platform — and you are unwilling to grant send. Write a two-sentence rationale in the register: “Declined because the extension requires send permission and has no drafts-only mode; same capability is available from [alternative] with a narrower permission.”

Option E — Conscious override. The extension can only run with send enabled, no narrower path exists, and you have a specific reason to proceed. This is an intentional exception to the audience-only-you rule and therefore requires extra care. Write in the register: (a) why you are making the exception, (b) what specifically the extension may send and to whom, (c) a next-review date no more than 30 days out (not 90 — send-capable extensions get a tighter review cadence), and (d) the condition under which you will reverse the decision. A conscious override without all four fields is not a conscious override; it is a carve-out dressed up as one.

Across a Module 7 student’s register, a healthy mix has most rows at Option A or B, a small number at C, a steady stream at D (declines are a common and healthy outcome), and at most one at E. A register with three or more conscious overrides is drifting; the hygiene ritual in Lesson 7.5 surfaces that drift.

Figure 7.2The outbound decision matrix as a five-way flow. If the audit surfaces no outbound at all (Option A), install. Otherwise, walk the three decisions in order: drafts-only mode → platform-scoped permission → specific time-bound reason. Each yes branches to an install posture (B, C, E). The final no is Option D — decline, with a two-sentence rationale that keeps you from re-auditing the same extension in eight weeks.

Installing a plugin, installing a skill RECIPE

Tool	Claude desktop app — Cowork tab's plugin marketplace; Claude Code CLI ~/.claude/skills/; MCP connector settings UIs
Last verified	2026-04-18
Next review	2026-07-18
Supported OSes	Cowork tab plugins: macOS, Windows. CLI skills: macOS, Linux, Windows.

Short recipe pointers. The full step-by-step lives in the Recipe Book entries installing-a-cowork-plugin.md and installing-a-claude-code-skill.md.

Installing a Cowork plugin. From the Cowork plugin search surface, find the plugin you want, read its description and listed permissions before clicking install, note the version number, and install. Plugins install with whatever permissions they request; if a prompt appears asking for new permissions, treat it as a fresh audit point. Once installed, open the plugin’s listing in Cowork’s settings and verify the enabled capabilities match what the manifest said. Copy the manifest’s version string into the register row. Set a next-review date.

Installing a Claude Code skill. If the skill is distributed as a folder, clone or download it to ~/.claude/skills/<skill-name>/ for user-scope or <project>/.claude/skills/<skill-name>/ for project-scope. If the skill is distributed inside a plugin you are adding to a Claude Code project, clone the plugin repo and follow its README — the skill is already in the plugin’s skills/ folder. Open the SKILL.md, read the frontmatter (name + description are the important fields), and read at least the first screen of the body so you have a mental picture of what the skill does. Run a small test invocation before you treat the skill as live. Add the row to the register.

Installing an MCP connector. Install once, wire once, verify in a quick test that the connector exposes the verbs its docs promised. Record the verbs in the register row under what tools does it grant. MCPs frequently require OAuth or API-key setup; do this in the same sitting, not later — an MCP that is “installed but not authenticated” is a row in the register that cannot pass its own audit, and it confuses future-you.

Install invariant

In all three cases: install, run a short smoke test, record in the register, set a review date. A plugin you cannot smoke-test is a plugin you should not leave installed.

Try it — Audit four extensions and fill four register rows CORE

two deliverables · open the audit worksheet →

Part 1 — Pick four candidates. Choose four extensions that look plausibly useful for the work you actually do. Two constraints:

At least two of the four should be plugins (Cowork plugin marketplace), and at least one of the four should be a Claude Code skill distributed as a folder. The fourth can be either, or an MCP connector.
Pick at least one that offers some outbound capability (drafting + send, posting, RSVPing, or similar). The outbound decision matrix is not a rail if you never encounter the case.

Candidates you have already seen in Modules 3–6 are fair game (a search-augmented skill, a calendar-reader MCP, a commit-message-helper plugin, etc.). Candidates that sound interesting but are unfamiliar are also fair game; being uncertain is part of what the audit is for.

Part 2 — Run the audit on each. Open /resources/module-07/minimum-viable-audit.md and fill in one copy per candidate. All five questions, in your own words, with evidence cited from the manifest / description / changelog / documentation. Each candidate should be a short, bounded read; if you are stuck on one for a long time, the documentation is likely insufficient and that alone is a reason to lean toward decline.

Part 3 — Decide install or decline, write the rationale. For each candidate, decide one of: install (Option A or B), install with platform-scoped permissions (C), decline (D), or conscious override (E). Write the two-sentence rationale. Decline is a healthy outcome — a register with two declines and two installs is better than a register where you forced yourself to install four.

Part 4 — Fill the register rows. Copy each audit into a register row in /capstone/extension-register-v1-draft.md. Use the row template from /resources/module-07/extension-register-row-template.md. A declined extension still gets a row; its keep-or-retire column says “declined” and its rationale is the short text from Part 3. Declines are valuable register data because they prevent you from re-evaluating the same extension in two months without remembering why you passed the first time.

The register for declines

Students sometimes ask, “why write a row for an extension I am not installing?” Two reasons. First, you will encounter this extension again — in a newsletter, a Reddit thread, a classmate’s recommendation — and you will save yourself a second audit if past-you left a two-sentence note. Second, a row for each declined extension is how you notice patterns in what you are consistently rejecting (“I keep declining extensions that require Gmail send permission without drafts-only mode” — that is a useful pattern to notice).

Deliverables. Four completed audit worksheets in /resources/module-07/your-audits/, four rows filled in /capstone/extension-register-v1-draft.md (at least two kept, at least two declined, each with a two-sentence rationale), and — if the audits changed your thinking — an updated Extension Posture section in my-first-loop.md.

Done with the hands-on?

When the recipe steps and any activity above are complete, mark this stage to unlock the assessment, reflection, and project checkpoint.

Key concepts

Off-the-shelf first. When a working, well-maintained third-party extension does the job, prefer it. Author only when one of the four flip conditions applies.
Minimum viable audit: five questions — what it does, what tools it grants, what data it reads, what it sends, how it handles credentials. No row enters the register without answers.
Outbound is a five-way decision. Install with a clean audit (A), install with drafts-only (B), install with platform-scoped permissions (C), decline (D), or conscious override (E) — reserved for rare, time-bound cases and documented with a 30-day review.
Manifest + description + changelog. Read all three. The version number, the enumerated permissions, the author contact, the outbound-related changelog entries — these are the signals that tell you whether the extension is maintained and whether it has grown since you last approved it.
Evaluation is the long-horizon skill. You will author a few extensions over the next year and evaluate dozens. The audit is the capability you lean on longest.

Quick check

Four questions. Tap a question to reveal the answer and the reasoning.

Q1. The off-the-shelf-first heuristic says to prefer installing an existing extension over authoring one when:

A The existing extension is free.
B A working, well-maintained extension does the job and none of the four flip conditions apply.
C You do not know how to author a skill yet.
D The extension has more than a thousand users.

Show explanation

Answer: B. A is irrelevant — cost is not one of the audit questions. C is backwards — authoring is the long-term skill; you should learn it and prefer off-the-shelf most of the time. D is a weak proxy for maintenance; adoption numbers tell you little about whether the extension is right for your work.

Q2. Which of the following is the strongest signal that an installed extension has drifted since your original audit?

A The UI icon changed.
B The author released a new blog post.
C A changelog entry in the latest version enlarged the permission or outbound surface without a corresponding update from you.
D The extension has been used many times.

Show explanation

Answer: C. A permission expansion in a version bump is exactly the event the audit is designed to catch. A is cosmetic. B can be useful context but is not a drift signal. D is a usage signal, not a drift signal. The quarterly hygiene ritual in Lesson 7.5 surfaces Option-C-style drift directly.

Q3. You install a Cowork plugin that can post to Slack. It has a post_enabled: true default and a configurable post_enabled: false mode. You are using it for personal note-taking and do not want any posts to go out. The right move is:

A Install with defaults, trust yourself to notice if anything goes out.
B Install with post_enabled: false, record that setting in the register, and revisit in the hygiene ritual.
C Install with defaults and plan to uninstall if anything goes wrong.
D Decline the install because the default is too permissive.

Show explanation

Answer: B. This is textbook Option B of the outbound decision matrix. A and C are carve-outs; the whole point of recording the drafts-only-or-post-off setting in the register is so future-you can verify the setting is still in force. D is defensible but more conservative than necessary; an extension with a clear off-switch and good documentation is a reasonable install with the switch flipped.

Q4. A candidate extension’s audit surfaces this: credentials are stored in ~/.config/<extension>/auth.json as plaintext, world-readable. The rest of the audit passes. What should you do?

A Install; the rest of the audit is fine.
B Install and open an issue with the author pointing out the credential-handling problem.
C Decline. Plaintext, world-readable credentials on disk is a credential-handling failure that one audit pass cannot outweigh.
D Install and chmod the file yourself.

Show explanation

Answer: C. The credential question is not a fifth question that the other four can compensate for; it is a gate. B is the right move after declining, not instead of declining — the author may fix it and you can re-evaluate in a future version. D is fragile and puts you on the maintenance hook for a bug that is not yours; the next version of the extension may overwrite your chmod. A clean pass on Q5 is not optional.

Reflection prompt

Which of the four surprised you?

In 4–6 sentences, in your journal or my-first-loop.md: Which of your four candidates surprised you the most — either because you expected to install it and ended up declining, or the reverse? Was the surprising answer driven by a specific audit question, or by the weight of the evidence across all five? What did you learn about your own install reflexes that you did not know before running the audit?

The reflection is aimed at making the audit become a habit rather than a worksheet. A student who internalizes it runs a one-minute mental version of the five questions any time they see a tempting new extension in the wild.

Project checkpoint

Four audits, four register rows, an Extension Posture that reflects what you learned.

By the end of this lesson, you should have:

1. Four completed minimum viable audit worksheets (one per candidate) in /resources/module-07/your-audits/.

2. Four rows filled in /capstone/extension-register-v1-draft.md — at least two kept, at least two declined, with a two-sentence rationale on each.

3. Optional-but-encouraged: an updated Extension Posture section in my-first-loop.md if the audits caused you to refine your install-vs-build rule or your active-extensions ceiling.

Do not proceed to Lesson 7.3 until all four rows are in the register. You will not author until the register has already taught you what “a good row” looks like.

Instructor / parent note

The explicit teaching goal of this lesson is the audit as habit, not the four register rows themselves. A student who ticks four rows without internalizing the five questions has missed the lesson; a student who ends up with only three rows because they couldn’t get to a fourth but can run the audit aloud in a minute has nailed it. Watch for the student who wants to skip the decline rows because “those aren’t extensions I’m using.” The declines are where the audit judgment gets encoded and re-used; they are the highest-leverage rows on the register early in the module.

Watch also for the opposite failure: the student who declines all four because each has something imperfect. Perfection is not the bar; the bar is the five questions answered honestly, a reasonable install posture chosen, and the decision written down where future-self can read it. A parent prompt that helps here: “If you had to install one of these today, which would it be, and under what install posture? What would you want to verify in 30 days?” That forces a choice and exposes the student’s actual risk tolerance.

The outbound decision matrix is the first place in Module 7 where the course asks students to treat the audience = only you rule as live infrastructure rather than a slogan. If a student argues for an exception (“but this plugin only posts to my own channel”), the right response is to walk the decision tree with them: is there a drafts-only mode? platform-scoped permission? a specific, time-bound reason with the four fields filled in? If yes, you land on B, C, or E and the row reflects that. If no, you land on D. The tree is the rail; arguing with the tree is usually arguing with your own posture statement in my-first-loop.md.

Next in Module 7

Lesson 7.3 — Building your first custom skill (Claude Code path).

The module’s headline authoring lesson. Pick one candidate from your five-candidate sort, write a SKILL.md with frontmatter + body, and tune the description across three rounds until it fires on the right phrases and stays quiet on the wrong ones. Meet the three failure modes — vague, overfit, triggerless — and the drill that catches them.

Continue to Lesson 7.3 →

Evaluating and using existing extensions.

Read & Understand

Off-the-shelf first, and the four reasons to build CORE

The minimum viable audit: five questions CORE

Audit answers live in the register

Reading a manifest, a description, and a changelog CORE

The outbound decision matrix CORE

Try & Build

Installing a plugin, installing a skill RECIPE

Try it — Audit four extensions and fill four register rows CORE

Done with the hands-on?

Check & Reflect

Quick check

Reflection prompt

Which of the four surprised you?

Project checkpoint

Four audits, four register rows, an Extension Posture that reflects what you learned.

Lesson 7.3 — Building your first custom skill (Claude Code path).