Plugins
Prerequisites
- Completed Modules 1-7
- GitHub account
- Understanding of MCP concepts (Module 6)
Learning Objectives
- Understand the Copilot plugin ecosystem
- Explore the GitHub copilot-plugins repository
- Learn about work-iq-mcp and enterprise integrations
- Install and configure plugins
- Understand plugin security considerations
Concepts
What are Copilot Plugins?
Plugins extend Copilot's capabilities beyond built-in features:
┌─────────────────┐
│ Copilot CLI │
├─────────────────┤
│ Built-in Tools │
├─────────────────┤
│ MCP Servers │ ← Module 6
├─────────────────┤
│ Skills │ ← Module 7
├─────────────────┤
│ Plugins │ ← This Module
└─────────────────┘
Plugin vs MCP Server vs Skill
| Feature | Plugin | MCP Server | Skill |
|---|---|---|---|
| Installation | npm/manual | Config file | Directory |
| Scope | Global | Session/project | Project/personal |
| Capabilities | Full integration | Tools/resources | Instructions |
| Distribution | Package registry | Config sharing | Files/git |
Plugin Sources
- github/copilot-plugins - Official GitHub plugins
- microsoft/work-iq-mcp - Enterprise integrations
- Community plugins - Third-party extensions
- Custom plugins - Your own integrations
- Remote sources - GitHub repos and git URLs referenced in
marketplace.json(v0.0.413+)
Hands-On Exercises
Exercise 1: Explore Official Copilot Plugins
Goal: Discover available plugins in the official repository.
Steps:
-
Visit the copilot-plugins repository: github/copilot-plugins
-
Browse the available plugins:
- Database integrations
- Cloud provider tools
- Development utilities
- Team collaboration tools
-
Read plugin documentation for one that interests you.
-
Note the installation requirements and configuration.
-
Clone the repository to explore locally:
git clone https://github.com/github/copilot-plugins.git
cd copilot-plugins
ls -la -
Examine a plugin's structure:
ls -la plugins/example-plugin/
cat plugins/example-plugin/README.md
Expected Outcome: You understand the available plugins and their purposes.
Exercise 2: Explore work-iq-mcp
Goal: Understand enterprise integration options.
Steps:
-
Visit the work-iq-mcp repository: microsoft/work-iq-mcp
-
work-iq-mcp provides integrations for:
- Microsoft 365 (Outlook, Teams, SharePoint)
- Azure services
- Enterprise data sources
- Business applications
-
Review the architecture:
git clone https://github.com/microsoft/work-iq-mcp.git
cd work-iq-mcp
cat README.md -
Examine configuration options:
cat docs/configuration.md -
Understand authentication requirements:
- OAuth2 flows
- Service principals
- Token management
Expected Outcome: You understand enterprise integration capabilities.
Exercise 3: Install a Community Plugin
Goal: Install and configure a third-party plugin.
Steps:
-
Search for Copilot-compatible MCP servers:
npm search @modelcontextprotocol -
Install a useful plugin (e.g., Brave Search):
npm install -g @anthropic/mcp-server-brave-search -
Get a Brave Search API key:
- Visit Brave Search API
- Create an account and get an API key
-
Configure as MCP server:
cat >> ~/.copilot/mcp-config.json << 'EOF'
{
"servers": {
"brave-search": {
"command": "npx",
"args": ["-y", "@anthropic/mcp-server-brave-search"],
"env": {
"BRAVE_API_KEY": "your-api-key-here"
}
}
}
}
EOF -
Restart Copilot and test:
copilotSearch the web for the latest Node.js release
Expected Outcome: Web search capability added via plugin.
Exercise 4: Database Plugin Integration
Goal: Add database query capabilities.
Steps:
-
Install PostgreSQL MCP server:
npm install -g @modelcontextprotocol/server-postgres -
Configure with your database:
{
"servers": {
"postgres": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-postgres"],
"env": {
"POSTGRES_CONNECTION": "postgresql://user:pass@localhost/dbname"
}
}
}
} -
Test database queries:
copilotShow me the schema of the users tableHow many records are in the orders table? -
Security Note: Be careful with production databases!
Expected Outcome: Database query capabilities via Copilot.
Exercise 5: Create a Simple Custom Plugin
The code snippet uses require (CommonJS) but doesn't include module.exports or type definition in package.json. This is fine as CommonJS is the default. The npm install @modelcontextprotocol/sdk command should complete successfully.
Goal: Build a basic plugin for your workflow.
Steps:
-
Create a plugin directory:
mkdir -p ~/copilot-plugins/my-tools
cd ~/copilot-plugins/my-tools -
Initialize as Node.js project:
npm init -y -
Create a simple MCP server:
cat > index.js << 'EOF'
const { Server } = require('@modelcontextprotocol/sdk/server');
const server = new Server({
name: 'my-tools',
version: '1.0.0'
});
// Add a simple tool
server.addTool({
name: 'get-timestamp',
description: 'Get the current timestamp in various formats',
parameters: {
type: 'object',
properties: {
format: {
type: 'string',
enum: ['iso', 'unix', 'human'],
default: 'iso'
}
}
},
handler: async ({ format }) => {
const now = new Date();
switch (format) {
case 'unix':
return { timestamp: Math.floor(now.getTime() / 1000) };
case 'human':
return { timestamp: now.toLocaleString() };
default:
return { timestamp: now.toISOString() };
}
}
});
// Add a resource
server.addResource({
name: 'system-info',
description: 'System information',
handler: async () => ({
platform: process.platform,
nodeVersion: process.version,
cwd: process.cwd()
})
});
server.start();
EOF -
Install dependencies:
npm install @modelcontextprotocol/sdk -
Configure in Copilot:
{
"servers": {
"my-tools": {
"command": "node",
"args": ["/home/user/copilot-plugins/my-tools/index.js"]
}
}
} -
Test your plugin:
copilotWhat's the current timestamp?
Expected Outcome: Custom plugin provides new capabilities to Copilot.
Exercise 6: Plugin Security Review
Goal: Understand plugin security considerations.
Steps:
-
Review a plugin before installation:
# Check the source
npm view @package/name repository
# Review dependencies
npm view @package/name dependencies
# Check for known vulnerabilities
npm audit @package/name -
Security checklist for plugins:
- Source code is open and auditable
- Active maintenance and updates
- Minimal dependencies
- No known vulnerabilities
- Clear permission requirements
- Data handling documented
-
Configure with least privilege:
{
"servers": {
"plugin-name": {
"command": "npx",
"args": ["-y", "@package/plugin"],
"env": {
"API_KEY": "${PLUGIN_API_KEY}"
}
}
}
} -
Use environment variables for secrets:
export PLUGIN_API_KEY="your-key"
copilot -
Restrict plugin capabilities with deny rules:
copilot --allow-tool 'plugin-name' --deny-tool 'shell(rm)'
Expected Outcome: You can evaluate and securely configure plugins.
Exercise 7: Plugin Discovery and Ecosystem
Goal: Navigate the plugin ecosystem.
Steps:
-
Official sources:
-
Search npm for MCP servers:
npm search mcp-server
npm search modelcontextprotocol -
Check community collections:
- GitHub topics:
copilot-plugin,mcp-server - Awesome lists:
awesome-mcp,awesome-copilot
- GitHub topics:
-
Evaluate a plugin:
# Stars and activity
gh repo view owner/plugin-repo
# Recent commits
gh api repos/owner/plugin-repo/commits --jq '.[0:5] | .[].commit.message'
# Open issues
gh issue list -R owner/plugin-repo -
Contribute to the ecosystem:
- Report issues you find
- Submit feature requests
- Create and share your own plugins
Expected Outcome: You can find, evaluate, and contribute to the plugin ecosystem.
Plugin Configuration Reference
MCP Server Plugin Format
{
"servers": {
"plugin-name": {
"command": "npx",
"args": ["-y", "@scope/package-name", "--option"],
"env": {
"API_KEY": "${ENV_VAR}",
"CONFIG": "value"
},
"cwd": "/optional/working/dir"
}
}
}
Remote Plugin Format
{
"servers": {
"remote-plugin": {
"url": "https://plugin-server.example.com/mcp/",
"requestInit": {
"headers": {
"Authorization": "Bearer ${TOKEN}"
}
}
}
}
}
Common Plugins
| Plugin | Package | Purpose |
|---|---|---|
| Brave Search | @anthropic/mcp-server-brave-search | Web search |
| PostgreSQL | @modelcontextprotocol/server-postgres | Database |
| Filesystem | @modelcontextprotocol/server-filesystem | File ops |
| GitHub | Built-in | GitHub integration |
| Memory | @modelcontextprotocol/server-memory | Persistence |
| Puppeteer | @anthropic/mcp-server-puppeteer | Browser automation |
Security Best Practices
- Audit before install - Review source code
- Use environment variables - Never hardcode secrets
- Principle of least privilege - Grant minimal permissions
- Keep updated - Regularly update plugins
- Monitor usage - Track plugin activity
- Sandbox when possible - Use containers for untrusted plugins
Summary
- ✅ Plugins extend Copilot's capabilities significantly
- ✅ github/copilot-plugins provides official integrations
- ✅ work-iq-mcp enables enterprise Microsoft integrations
- ✅ Community MCP servers add diverse capabilities
- ✅ You can create custom plugins for specific needs
- ✅ Always review plugins for security before installation
- ✅
/plugin installand/plugin marketplace addnow support local paths with spaces (v0.0.415 fix)
Next Steps
Continue to Module 9: Custom Agents