Introducing Plutonium

Over the past months we launched ClaudeSec for the Anthropic ecosystem and copilotsec.ai for the Microsoft one. Each closed the same gap in its own corner of the market: AI capabilities are shipping faster than the practical security guidance around them, and the practitioners adopting these tools are largely left to evaluate third-party risk on their own. The response to both was substantial – the feedback from the security community told us this was knowledge people had been looking for.

But practitioners don’t live in one ecosystem. The same team that runs Claude Code is also evaluating Copilot Studio agents, piloting Codex, and wiring up Gemini CLI. Splitting that knowledge across separate sites mirrors a problem we kept hearing about: AI security knowledge is fragmented, and there’s no single place to reason about third-party risk across every assistant a team actually uses.

Today we’re launching Plutonium to bring it all into one place.

What Plutonium is

Plutonium is a free, vendor-neutral security hub for the entire AI assistant ecosystem. It consolidates everything we’ve built so far – connector and extension risk catalogs, hands-on security guides, and curated security news – under one roof, and extends it across vendors rather than a single one.

ClaudeSec and copilotsec.ai become the Anthropic and Microsoft surfaces within Plutonium. Coverage of additional ecosystems, including OpenAI’s Codex and Google’s Gemini CLI, is rolling out next. Every rating and recommendation is grounded in hands-on research against the live platform, with reproducible methodology.

The through-line across all of them is the question we’ve been asking since ClaudeSec: before you let a third-party add-on run inside your assistant, do you actually understand what it can read, what it can do, and where your data goes?

The new piece: Pluto Market-Space

The catalogs answer that question *after* an add-on exists – you look something up, read its risk rating, and decide. Market-Space flips the model. It’s a curated marketplace where the add-ons are vetted before they’re listed, so the default is trustworthy rather than buyer-beware.

The third-party AI ecosystem has the same supply-chain exposure as any other package ecosystem, with a sharper edge: these add-ons don’t just run code, they run inside an agent that has access to your data, your credentials, and your systems. A malicious or careless extension isn’t a dependency with a CVE – it’s a participant in your agent’s decisions. Market-Space exists to take that evaluation burden off the individual practitioner and put a vetting layer in front of it.

What makes an add-on eligible for Market-Space

Every add-on we list is reviewed against a consistent set of principles. In plain terms, a safe add-on:

1. Keeps privileges scoped to its purpose. It reads and writes only what its stated job needs. A deployment tool reads its own deploy token, not your cloud credentials or SSH keys. Safe tools don’t reach into unrelated credential stores.
2. Behaves reproducibly. What you review is what runs. It doesn’t fetch instructions, prompts, or configuration from a remote URL at execution time – which would let its behavior change after you’ve approved it.
3. Is inspectable and documented. Bundled scripts explain what they do and invite inspection. The red flag is the opposite: “run this exactly as-is, don’t read or modify it.”
4. Installs through named packages, not pipe-to-shell. It uses standard package managers with pinned versions, not `curl … | sh` or `eval` on downloaded content.
5. Stays off system and configuration files. It doesn’t quietly edit your agent’s settings, enable permission-bypass or auto-approve behavior, or write persistent memory and config that survives an uninstall.
6. Gates destructive actions. No unattended deletes, table drops, or force-pushes. Anything destructive asks the user first.
7. Keeps data with the named vendor. Outbound traffic goes to the tool’s own service, not to unbranded or single-developer domains, and there’s no silent telemetry of your environment variables or files.
8. Treats external content as untrusted. It tells the agent that fetched web pages and tool output are data, not instructions – basic prompt-injection hygiene.

An add-on that meets the bar gets listed. One that doesn’t, doesn’t – and where the failure is instructive, it often shows up in the risk catalogs as a worked example of what to avoid.

What’s on the site today

• Cross-ecosystem risk catalogs. The ClaudeSec and copilotsec.ai catalogs, now reachable from one place, with capability matrices, risk ratings, and source-code findings where they matter. Codex and Gemini CLI coverage is next.
• Pluto Market-Space. The curated, vetted add-on marketplace described above.
• Security guides. Our hands-on deployment and hardening guides across ecosystems.
• Security news. A curated feed of vulnerabilities, advisories, and platform changes that matter for the teams running these assistants.

Where we go from here

Plutonium is the umbrella our ecosystem-specific work now lives under. The roadmap: more ecosystems in the catalogs, a growing Market-Space, and continued hands-on research feeding both. We’ll keep operating the main Pluto Security blog for cross-ecosystem research.

Subscribe and get involved

If you build or operate AI assistant deployments and want new analyses, guides, and vetted add-ons as we publish them, subscribe at plutonium.pluto.security

If you have questions about a specific deployment scenario, want to discuss our findings in more detail, or have an add-on you’d like us to vet, reach out at contact@pluto.security.