![Claude Code Superpowers Plugin Complete Guide [2026-May]: Standardizing Engineering with the Officially-Listed Plugin](/images/columns/superpowers-claude-code-plugin/cover.png)
Hello, this is Ryuta Hamamoto from TIMEWELL.
A few milestones I had been watching landed back-to-back for Superpowers. On January 15, 2026 it was added to the official Anthropic Claude Code plugin marketplace, and on April 30, 2026 Anthropic shipped Claude Opus 4.7 alongside the public beta of Claude Security[^1][^3][^4]. In early May, Anthropic also announced a new family of AI agents tailored to financial services, with Goldman Sachs and Blackstone named as launch partners[^6][^7].
The state of Claude Code in 2026-May looks like this:
- Model side: Opus 4.7 made long-running autonomous execution and cost efficiency another step better.
- Security side: Anthropic's own Claude Security started covering vulnerability detection and remediation on AI-generated code.
- Plugin side: Superpowers landed in the official marketplace, giving enterprises a credible "drop-in standard."
With those three arriving together, Superpowers is no longer just a productivity hack for individual developers. I think it has shifted into the de-facto plugin you use to put Claude Code on the rails inside an organization. This guide rewrites the original article on that basis.
What Superpowers Is in 2026-May
Superpowers is an open-source Claude Code plugin maintained by former Anthropic engineer Jesse Vincent (GitHub handle obra)[^2]. It packages more than 14 SKILL.md files — Markdown instruction sets — into a coherent framework that forces Claude into a disciplined development process.
Three things are worth highlighting:
- The plugin is a bundle of "instruction books for AI," not application code.
- A meta-skill is auto-injected at the start of every Claude session, so Claude must look up a relevant skill before acting.
- It enforces a five-phase discipline on the AI: clarify, design, plan, code, verify.
| Category | Main skills |
|---|---|
| Testing | test-driven-development |
| Debugging | systematic-debugging, verification-before-completion |
| Design and planning | brainstorming, writing-plans, executing-plans |
| Implementation and integration | subagent-driven-development, using-git-worktrees, finishing-a-development-branch, dispatching-parallel-agents |
| Review | requesting-code-review, receiving-code-review |
| Meta | writing-skills, using-superpowers |
GitHub stars sit around 57,000 as of early May 2026, which keeps Superpowers as one of the largest community-led plugins in the Claude Code ecosystem[^2]. The design philosophy of pinning AI behavior to flowcharts and hard rules is, at least for now, the explanation that holds up best for why enterprise practitioners keep adopting it.
Interested in leveraging AI?
Download our service materials. Feel free to reach out for a consultation.
What Changed When Superpowers Joined the Official Marketplace (2026-01-15)
The arrival of the official Claude Code Plugin Marketplace, with Superpowers listed on day one, changed three things on the ground[^1].
First, installation got shorter. The previous path of adding the obra/superpowers-marketplace by hand created friction with procurement and security review inside companies. Going through the official marketplace removes that step because Anthropic handles signing and origin verification.
Second, the bar for internal sign-off dropped. The simple fact that "this plugin lives on the official Anthropic marketplace" is now a useful talking point with IT and legal teams. Companies that could not get past a "random GitHub plugin" review now have a path forward.
Third, expectations of Superpowers themselves shifted from "individual productivity tool" to "organizational runtime." Anthropic itself is now shipping financial-services-specific agents, signaling that more enterprises are putting Claude Code on critical workflows[^6][^7]. Superpowers is being re-evaluated as the layer that unifies how every engineer in those organizations writes code.
In the earlier version of this article I framed Superpowers as a "framework that restores discipline." For 2026-May I think it is more accurate to call it the install base for standardizing Claude Code across an engineering organization.
The 14 Agentic Skills and the Five-Phase Discipline (clarify, design, plan, code, verify)
You can map the Superpowers skills onto five phases. The flow between phases is best read as "phase A or phase B," not as a hard pipeline; only the diagrams inside code blocks use arrow notation.
| Phase | Main skills | Purpose |
|---|---|---|
| clarify | brainstorming, using-superpowers | Force the AI to ask questions about requirements and constraints |
| design | brainstorming, writing-skills | Surface 2-3 design options and their trade-offs in writing |
| plan | writing-plans, executing-plans | Break work into 2-5 minute tasks |
| code | subagent-driven-development, dispatching-parallel-agents, using-git-worktrees | One sub-agent per task |
| verify | requesting-code-review, receiving-code-review, verification-before-completion, test-driven-development, systematic-debugging | Two-stage review covering spec compliance and code quality |
The mechanism that makes this work is that each skill ships its instructions to Claude as a GraphViz flowchart. The brainstorming skill, for example, looks like this:
digraph brainstorming {
"Explore project context" -> "Ask clarifying questions";
"Ask clarifying questions" -> "Propose 2-3 approaches";
"Propose 2-3 approaches" -> "Present design sections";
"Present design sections" -> "User approves design?";
"User approves design?" -> "Present design sections" [label="no, revise"];
"User approves design?" -> "Write design doc" [label="yes"];
"Write design doc" -> "Invoke writing-plans skill";
}
The branch that holds back code generation until the user approves the design is encoded explicitly. According to Vincent, expressing the rule discretely as nodes and edges raises Claude's compliance more reliably than writing "please implement only after approval" as prose[^2].
Vincent has also documented the "description trap." If you put a workflow summary into a SKILL.md description field, Claude often acts on the summary alone and ignores the body[^2]. Superpowers gets around this by reserving the description for a "Use when ..." trigger and pushing all logic into the flowchart. The same rule of thumb is useful when designing internal skills or slash commands — I covered that in the Claude Code Skills 4.5 complete guide as well.
Installation in Claude Code now looks like this (via the official marketplace):
/plugin marketplace add anthropic
/plugin install superpowers
The legacy obra/superpowers-marketplace path still works, but for enterprise rollouts I would default to the official marketplace because it lines up better with procurement and audit needs[^1][^2].
Combining Superpowers with Opus 4.7 and Claude Security
The April 30, 2026 launches of Claude Opus 4.7 and the Claude Security public beta both feed directly into how you should run Superpowers[^3][^4].
Opus 4.7 is Anthropic's flagship for Claude Code, tuned for long-running autonomous execution and cost efficiency, complementing Sonnet 4.7[^3]. Because Superpowers runs many TDD and review iterations against the same files in a single session, Opus 4.7's improved context handling and per-call economics show up in practical use.
Claude Security, also in public beta from the same day, is a vulnerability layer designed for AI-generated code[^4]. SecurityWeek frames it as Anthropic's own answer to the surge in AI-powered exploits, with SAST-like detection and remediation suggestions wired into the Claude Code experience[^4].
My current recommended stack is:
- Design and implementation discipline: Superpowers (5 phases plus 14 skills).
- Security discipline: Claude Security (vulnerability detection, remediation, dependency checks).
- Default model: Opus 4.7, with Sonnet 4.7 reserved for lighter tasks.
- Secrets and environment variables: keep them out of Superpowers' scope and use Claude Code hooks plus environment isolation instead.
In other words, Superpowers is the discipline engine for the development process, and Claude Security is the discipline engine for code quality. Distributing both as part of the same organizational standard makes Claude Code much easier to put into production engineering. McKinsey's "State of AI trust in 2026" makes the same point: trust in the agentic era requires governance and security as a paired investment[^5].
Enterprise Pitfalls and Countermeasures (Permission Bloat, TDD Enforcement, Human Approval, Review Cost)
Superpowers is powerful, but rolling it into an enterprise as-is causes problems. Across WARP engagements I have seen four pitfalls again and again.
First, permission bloat. Some skills assume bash execution, git worktree operations, and file deletion. Rolling them out company-wide without comparing them against IT policy creates a real risk of unintended operations against production repositories. I think it is safer to scope which skills are permitted per business unit and bind hooks and permission scopes from the Claude Code side.
Second, TDD enforcement quietly turning into a guideline. The test-driven-development skill ships an "iron rule" that you may not write production code without a failing test first. Teams under delivery pressure tend to want to soften that, but doing so reverts to AI-driven implementation with no quality floor. It is better to either keep the iron rule literally enforced or remove it explicitly than to leave it as a soft expectation.
Third, skipping the human approval gates. The clarify and design phases exist so humans can agree on the requirements and direction. Letting the AI reviewer agents sign off on those internally usually means the implementation runs on a wrong premise, and the verify phase ends up doing massive rework. Keeping a senior engineer in the loop on at least design and verify is, in my view, the more realistic operating model.
Fourth, controlling review-loop cost. The subagent-driven-development skill spins up a fresh sub-agent per task, so defaulting to Opus 4.7 makes inference cost run hotter than expected. You will want a per-model policy that caps task size and routes light edits to Sonnet 4.7. I covered the team-level shape of this in the Claude Code agent teams operations guide.
The same care applies on the security side. Claude Security's beta is useful, but you have to decide up front whether findings block merges or stay as warnings. Otherwise you end up with a notification graveyard that nobody reads. The Anthropic Claude Security public beta implementation guide lays out the operating patterns I recommend, and it pairs naturally with Superpowers planning.
Building an "Organizational Standard" Superpowers Operation with WARP
To pull the threads together: in 2026-May, Superpowers is becoming the de-facto standard plugin you use when you want to put Claude Code on the rails inside an engineering organization. But just installing and distributing it does not deliver the outcome. You only get both quality and speed once you have designed permission scopes per business unit, decided which of the five phases keep human approval, divided responsibility with Claude Security, and set a per-model cost policy across Opus 4.7 and Sonnet 4.7.
TIMEWELL's AI implementation consulting service WARP evaluates Claude Code, Superpowers, and Claude Security together and designs an "organizational-standard Superpowers operation" that fits your repository structure and IT requirements. Concretely, we help with:
- Auditing existing repositories and development flows (permissions, TDD enforcement, review structure).
- Distributing Superpowers via the official marketplace and writing internal usage guidelines.
- Designing per-model cost and responsibility allocation across Opus 4.7, Sonnet 4.7, and Claude Security.
- Documenting the operating model that keeps human approvers on the clarify, design, and verify phases.
- Running half-day or full-day Superpowers workshops for your engineering team.
We are seeing more cases where companies have already dropped Superpowers in but cannot say who owns it or how far automation should go. We would be glad to spend a 30-minute online session understanding your situation and mapping the next concrete step. You can reach us via the contact form, and the full overview of the service lives on the WARP page.
TIMEWELL Co., Ltd. — Ryuta Hamamoto
[^1]: Anthropic, "Claude Code Plugin Marketplace - Superpowers." https://claude.com/plugins/superpowers [^2]: Jesse Vincent, "obra/superpowers" GitHub repository. https://github.com/obra/superpowers [^3]: Anthropic, "Introducing Claude Opus 4.7" (2026-04-30). https://www.anthropic.com/news/claude-opus-4-7 [^4]: SecurityWeek, "Anthropic Unveils Claude Security to Counter AI-Powered Exploit Surge" (2026-04-30). https://www.securityweek.com/anthropic-unveils-claude-security-to-counter-ai-powered-exploit-surge/ [^5]: McKinsey & Company, "State of AI trust in 2026: Shifting to the agentic era." https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/tech-forward/state-of-ai-trust-in-2026-shifting-to-the-agentic-era [^6]: PYMNTS, "Anthropic Targets Financial Services Space With New AI Agents" (2026-05-04). https://www.pymnts.com/news/artificial-intelligence/2026/anthropic-targets-financial-services-space-with-new-ai-agents/ [^7]: PYMNTS, same article — Goldman Sachs and Blackstone partnership notes (2026-05-05). https://www.pymnts.com/news/artificial-intelligence/2026/anthropic-targets-financial-services-space-with-new-ai-agents/ [^8]: Builder.io, MindStudio, and Geeky Gadgets explainer articles on Superpowers (2025-2026, used as tertiary references).