Extensibility Model: How Claude Code Grows
Claude Code's extensibility is layered: MCP servers for tools and resources, skills for workflows, hooks for lifecycle events, plugins for marketplace distribution, and the bridge for IDE integration. Each layer serves a different audience and trust level.
The Five Extension Points
| Layer | Audience | Trust Level | Mechanism |
|---|---|---|---|
| MCP Servers | Developers, teams | Project-scoped | Protocol-based tool registration (stdio/SSE/WebSocket) |
| Skills | Power users | User-defined | Markdown-defined workflows with tool permissions |
| Hooks | CI/CD, ops | Per-event | Shell commands on 21 lifecycle events |
| Plugins | Community | Marketplace-reviewed | Dependency-resolved packages with auto-update |
| Bridge | IDE vendors | Application-level | v2 WebSocket transport with JWT auth |
MCP as Foundation, Not Layer
Claude Code doesn't overlay MCP — it IS MCP. Every capability including Computer Use runs as a tool call. The MCP client (119K lines) is the most complete implementation in existence. External servers adopt identical patterns: alphabetical tool registration, cache-aware partitioning, three-layer result flow.
The cache partitioning is critical: MCP tools are appended after built-in tools, never interleaved. This preserves the expensive built-in prefix cache. Five active MCP servers can add 55,000+ tokens before the first user message — cache partitioning makes this economically viable.
Skills: Markdown as API
Skills are Markdown files with YAML frontmatter that define reusable workflows. They can specify tool permissions, match patterns (when to activate), and include multi-step instructions. Seven built-in skills ship with Claude Code; users can create custom skills in .claude/commands/.
The disableSkillShellExecution setting (v2.1.91) addresses the security implication: skills could previously execute shell commands inline, enabling malicious skill authors to exfiltrate credentials.
Hooks: The Lifecycle Bus
21 lifecycle events spanning four phases: pre-tool, post-tool, session events, and notification events. Hooks execute as shell commands with JSON on stdin/stdout. Exit code semantics: 0 = proceed, non-zero = block. Fail-open on timeout.
The PreToolUse hook defer return value (v2.1.89+) gives CI/CD operators a clean pause point: hooks can now pause headless sessions when human intervention is needed.
Channels as MCP Servers
The channel system (peer messaging, notifications) is built on MCP. Servers declare experimental['claude/channel'] capability to act as channels. The entire channel infrastructure reuses MCP's server discovery, connection management, and notification protocol.
Design Tensions
- Security vs. openness — MCP servers can register arbitrary tools, skills can execute shell commands, plugins auto-update from git. Each extension point is also an attack surface.
- Token cost vs. capability — each MCP server's tool definitions consume context tokens on every request. More extensions = higher base cost.
- Startup time vs. freshness — plugin auto-update runs at startup (git pull). Too many plugins slow startup; too infrequent updates leave users on stale versions.
Related Entities
mcp-integration— the protocol layerskill-system— markdown-defined workflowshooks-system— lifecycle eventsplugin-system— marketplace and auto-updatebridge-system— IDE integrationtoolsearch-system— lazy tool loading for large tool pools