Anthropic updates Claude Code with security-guidance plugin and higher usage limits
8 min. read 
Published on
Anthropic has updated Claude Code with a new security-guidance plugin that reviews code changes for risky patterns while developers work. The plugin is designed to warn about common vulnerabilities before code reaches a pull request, making security checks part of the coding session instead of a separate review step.
The new plugin can be installed from Anthropic’s official marketplace using Claude Code. Anthropic’s security-guidance documentation says the plugin reviews Claude’s own code changes and helps fix issues in the same session.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The update also arrives after Anthropic increased Claude Code usage limits following a new compute partnership with SpaceX. The company said in its SpaceX compute announcement that five-hour Claude Code rate limits doubled for Pro, Max, Team, and seat-based Enterprise plans.
What the new security plugin does
The security-guidance plugin checks Claude Code’s edits at multiple points in the development workflow. It can run quick pattern checks during file edits, review changes at the end of a turn, and perform deeper checks when Claude makes a commit or push through its Bash tool.
Anthropic’s Security Guidance plugin page describes it as an Anthropic-verified Claude Code plugin that warns about command injection, XSS, unsafe deserialization, and other unsafe code patterns while editing files.
The goal is not to replace a full security program. It gives developers a faster early warning system inside the same tool they already use to write and modify code.
| Feature | What it does | Why it matters |
|---|---|---|
| Per-edit checks | Scans new file content for risky code patterns | Flags obvious issues quickly during coding |
| End-of-turn review | Reviews the git diff created during the session | Catches broader issues after Claude finishes a coding step |
| Commit and push review | Runs a deeper background review when Claude commits or pushes | Looks at surrounding code to reduce false positives |
| Custom rules | Lets teams add project-specific guidance and patterns | Helps match the plugin to internal security standards |
Which issues it can flag
The plugin looks for risky coding patterns that often lead to real vulnerabilities. These include unsafe dynamic code execution, shell command injection, unsafe DOM usage, GitHub Actions workflow risks, and Python pickle deserialization.
Anthropic says the plugin can warn developers before vulnerable code reaches pull requests. That makes it useful for teams that already use code review but want fewer basic security mistakes to reach the review stage.
The broader Claude Code security documentation also explains that Claude Code uses a permission-based model, asks for approval before sensitive actions, and encourages users to review suggested code and commands before approving them.
- Unsafe use of eval or new Function
- Use of child_process.exec in Node.js
- Python os.system calls
- Python pickle deserialization risks
- Use of innerHTML or dangerouslySetInnerHTML
- Potential GitHub Actions workflow injection risks
How to install the plugin
Developers can install the plugin inside Claude Code with the command listed in Anthropic’s documentation. The command is not `/plugins`; the documented install command uses `/plugin install` followed by the plugin name and marketplace.
Anthropic’s security-guidance documentation says users should run `/plugin install security-guidance@claude-plugins-official`. If the official marketplace is not found, users can add it first and then reload plugins.
Once installed, the plugin runs automatically. Developers do not need to manually launch a scan after every edit, although they can still use other review tools for deeper checks.
| Step | Command or action |
|---|---|
| Install plugin | /plugin install security-guidance@claude-plugins-official |
| Add marketplace if needed | /plugin marketplace add anthropics/claude-plugins-official |
| Activate without restart | /reload-plugins |
| Team rollout | Enable through project or managed settings |
How it fits with Claude Code security reviews
The plugin adds an in-session security layer, while Anthropic also offers security review options for pull requests and on-demand checks. That means teams can use the plugin during development and still rely on PR-level review before merging code.
The Claude Code Security Reviewer GitHub repository describes a GitHub Action that reviews code changes for security vulnerabilities and can comment on pull requests with findings.
This layered approach matters because different checks catch different problems. A quick pattern match can catch obvious risky code fast, while a pull request review can inspect a larger context and provide more detailed comments.
Usage limits also increased after SpaceX compute deal
Anthropic also recently raised usage limits for Claude Code. In the SpaceX compute announcement, the company said it doubled Claude Code’s five-hour rate limits for Pro, Max, Team, and seat-based Enterprise plans.
The company also removed peak-hours limit reductions for Pro and Max accounts and increased Claude Opus API rate limits. Anthropic said its SpaceX deal gives it access to more than 300 megawatts of new capacity, equal to more than 220,000 NVIDIA GPUs.
For developers, the practical change is simple: paid users who rely on Claude Code for longer coding sessions should hit limits less often than before, depending on their plan and usage pattern.
| Change | Who it affects |
|---|---|
| Doubled five-hour Claude Code limits | Pro, Max, Team, and seat-based Enterprise plans |
| Peak-hours reduction removed | Pro and Max accounts |
| Higher Opus API rate limits | Claude API users |
| More compute capacity | Claude services backed by Anthropic’s infrastructure expansion |
Why this update matters for developers
Claude Code has become a larger part of developer workflows because it runs in the terminal and can edit files, inspect projects, run commands, and assist with debugging. That also means security checks need to happen closer to the point where code changes are made.
The new plugin pushes security guidance into the same session where code is being written. That can help developers fix simple but dangerous mistakes before they become part of a branch, pull request, or production build.
The Security Guidance plugin page says the plugin works as a pre-tool hook and shows warnings with remediation advice before edits proceed. That gives developers a clear signal without forcing them to open another scanner first.
Security teams should still keep existing checks
Anthropic’s automated security review guidance says these tools should complement existing security practices rather than replace manual code review or other security testing. That warning matters because AI-assisted checks can miss issues or flag safe code as risky.
The Claude Code Security Reviewer project also notes that automated review can analyze pull request changes, reduce false positives, and post comments, but teams still need proper workflow controls and trusted review processes.
For security teams, the strongest use case is layered review. Developers get fast in-session warnings, pull requests get automated security comments, and high-risk code still goes through normal AppSec review.
Bottom line
Anthropic’s latest Claude Code update focuses on two areas developers care about: safer generated code and fewer workflow interruptions. The security-guidance plugin brings vulnerability warnings into active coding sessions, while higher usage limits give paid users more room for longer tasks.
The update also shows how AI coding tools are moving beyond autocomplete. Tools like Claude Code, GitHub Copilot, and Cursor increasingly compete on workflow depth, security support, and reliability inside real development environments.
The Claude Code security documentation still makes one point clear: developers remain responsible for reviewing code and commands before approval. The plugin can help, but secure development still requires human judgment.
FAQ
The security-guidance plugin is an Anthropic-verified Claude Code plugin that warns about risky code patterns while Claude edits files. It can flag issues such as command injection, unsafe DOM usage, unsafe deserialization, and other common vulnerability patterns.
Anthropic’s documentation says users can install it inside Claude Code with /plugin install security-guidance@claude-plugins-official. If the marketplace is missing, users can add it first with /plugin marketplace add anthropics/claude-plugins-official and then run /reload-plugins.
No. Anthropic says automated security reviews should complement existing security practices and manual code reviews. The plugin can catch common problems early, but teams should still use normal AppSec reviews and testing.
Anthropic said it doubled Claude Code’s five-hour limits for Pro, Max, Team, and seat-based Enterprise plans. It also removed peak-hours limit reductions for Pro and Max accounts.
The update gives developers earlier security feedback while they code and gives paid Claude Code users more capacity for longer sessions. It also shows that AI coding tools are competing on security, reliability, and workflow integration, not only code generation.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages