Claude Code Plugin Yoink Replaces Library Dependencies to Reduce Supply Chain Risk

Yoink is a Claude Code plugin designed to reduce supply chain attack risk by replacing library dependencies with custom implementations of only the needed functionality. The tool was developed in response to recent supply chain attacks, including those affecting LiteLLM and axios.

How Yoink Works

The plugin uses a three-step skill-based workflow:

• /setup clones the target repository and scaffolds a replacement package
• /curate-tests generates tests verified against the original tests' expectations
• /decompose determines which dependencies to keep or decompose based on principles like "keeping foundational primitives regardless of how narrow they are used" and implements iteratively using ralph until all tests pass

Technical Implementation

The developers used Claude Code's plugin system as a proxy framework for programming agents for long-horizon tasks. The system provides file documentation structure to organize skills, agents, and hooks in a way that systematically directs Claude Code across multi-phase execution steps via progressive disclosure. They built a custom linter to enforce additional documentation standards to make it easier to reason about interactions between skills and agents.

Current Limitations and Future Plans

Only Python is supported now, but TypeScript and Rust support are underway. The developers note that agents occasionally get too eager and run tests they were explicitly instructed not to, and sometimes wander off-course to explore unrelated files.

Future iterations will explore tracking upstream changes and updating yoinked code accordingly to address the maintenance benefits of established packages (security patches, bug fixes, version bumps). The developers also foresee fair attribution becoming an issue as AI coding and dependency internalization become more common.