The First Collaborative Repository for Capturing, Analyzing, and Preserving ChatGPT Plugin Identities
In the sprawling ecosystem of 2026, where over 15,000 ChatGPT plugins compete for attention, understanding their identity has become a forensic science. Welcome to Plugin Fingerprint Archive β a meticulously curated collection of ai-plugin.json manifests coupled with their unique JA4 TLS fingerprint signatures.
Think of this repository as a botanical herbarium for the digital age: each plugin preserved not just by its code, but by the cryptographic handshake it makes with the world. Just as a botanist identifies a plant by its leaf structure, stem pattern, and root system, we identify plugins by their manifest structure, endpoint behavior, and TLS fingerprint.
Why JA4 fingerprints? Every HTTPS connection leaves a unique mark β the combination of TLS version, cipher suites, extensions, and elliptic curves. This mark, captured as a JA4 hash, is as unique as a human fingerprint. Two plugins claiming to be "GPT-4 Productivity Assistant" but with different JA4 signatures? That's either a different version, a different host, or a completely different plugin altogether.
| Feature | Description | Benefit |
|---|---|---|
| Manifest Preservation | Raw ai-plugin.json files from live plugins |
Analyze plugin capabilities without API calls |
| JA4 Fingerprinting | TLS handshake signatures for each plugin | Detect impersonations, track version changes |
| Temporal Snapshots | Timestamped archives across months | See how plugin configurations evolve |
| Cross-Reference Index | Search by category, developer, or fingerprint | Connect plugins with shared infrastructure |
| Automated Collection | Daily scans via GitHub Actions | Fresh data without manual effort |
- The Problem We Solve
- Installation & Usage
- Repository Structure
- Data Collection Methodology
- Example Profile Configuration
- Example Console Invocation
- Compatibility Matrix
- Feature Ecosystem
- API Integration
- Performance & Responsive Design
- Multilingual Support
- 24/7 Support Architecture
- Contributing Guidelines
- License
- Disclaimer
- Download Links
In 2026, the AI plugin marketplace resembles a wild west boomtown. New plugins appear hourly, old ones vanish without notice, and malicious actors craft convincing impostors. Traditional security tools fail because:
- Plugin manifests change β developers update endpoints, add scopes, modify descriptions
- TLS certificates rotate β legitimate plugins shift servers, attackers copy names
- No unified registry β OpenAI's directory is incomplete, poorly maintained
Our solution is elegant: treat each plugin like a suspect in a digital lineup. The JA4 fingerprint is the height, weight, and distinctive scar that never lies. By archiving both the manifest (the plugin's resume) and the JA4 hash (its biometric ID), we create an immutable record of truth.
graph TD
A[Plugin URL] --> B{Is it live?}
B -->|Yes| C[Fetch ai-plugin.json]
B -->|No| D[Mark as Dead]
C --> E[Parse Manifest]
C --> F[Capture JA4 Fingerprint]
E --> G[Extract: Name, Description, API Endpoint]
F --> H[Store: TLS Version, Ciphers, Extensions]
G --> I[Create Entry]
H --> I
I --> J[Add to Archive]
J --> K[Timestamp & Version]
K --> L[GitHub Repository]
L --> M[Automated Daily Scan]
M --> A
- Python 3.9+ (for analysis scripts)
curlwith TLS fingerprinting support- GitHub account (for contributions)
# Clone the archive (coming soon)
git clone https://github.com/plugin-archive/plugin-fingerprint-archive.git
cd plugin-fingerprint-archive
# Install dependencies for analysis
pip install -r requirements.txt
# Run a local scan against a known plugin
python scan_plugin.py --url https://example-plugin.com/.well-known/ai-plugin.jsonOr browse directly: The repository is organized as a static site. Navigate to any plugin's folder to view its manifest, fingerprint, and historical changes.
plugin-fingerprint-archive/
βββ archives/ # Timestamped snapshots
β βββ 2026-01-01/ # New Year's Day archive
β βββ 2026-04-15/ # Tax day archive
β βββ 2026-07-20/ # Mid-year archive
βββ plugins/ # Individual plugin folders
β βββ productivity/
β β βββ task-master-ai/
β β β βββ manifest.json # Raw ai-plugin.json
β β β βββ fingerprint.ja4 # JA4 hash and metadata
β β β βββ history.md # Change log
β β β βββ screenshots/ # Visual proof of operation
β β βββ ...
β βββ education/
β β βββ ...
β βββ entertainment/
β βββ ...
βββ index/ # Searchable databases
β βββ by-fingerprint.json # JA4 -> Plugin mapping
β βββ by-manifest.json # Manifest hash -> Plugin mapping
β βββ by-category.json # Category -> Plugin list
βββ tools/ # Analysis scripts
β βββ fingerprint-analyzer.py
β βββ manifest-compare.py
β βββ batch-scanner.sh
βββ reports/ # Weekly analysis reports
βββ 2026-W28.md
We use a three-phase approach to ensure accuracy and completeness:
- Scrape OpenAI's official plugin directory (when available)
- Monitor Pluginpedia, GPTsHunter, and community forums
- Accept user submissions via PR with verification
For each discovered plugin URL:
- HTTP Request: Fetch
/.well-known/ai-plugin.jsonwith custom headers - JA4 Collection: Record the TLS handshake using
ja4-clientlibrary - Validation: Verify the manifest matches OpenAI's schema
- Snapshot: Take a screenshot of the plugin in action (when possible)
- Store raw manifest, JA4 hash, and metadata
- Generate diff between current and previous versions
- Update cross-reference indexes
- Publish weekly summary reports
Here's a real-world example of what a plugin profile looks like in our archive:
{
"plugin_id": "taskmaster-2026-v3",
"name": "TaskMaster AI - Advanced Project Manager",
"category": "Productivity",
"last_seen": "2026-07-20T14:32:11Z",
"first_seen": "2026-01-15T09:00:00Z",
"manifest": {
"schema_version": "v1",
"name_for_human": "TaskMaster AI",
"name_for_model": "taskmaster",
"description_for_human": "Manage projects with AI-powered task delegation and deadline tracking",
"description_for_model": "Plugin for creating, assigning, and tracking tasks in project management workflows. Supports Gantt charts, dependency mapping, and team collaboration.",
"auth": {
"type": "service_http",
"verification_tokens": {
"openai": "abc123def456"
}
},
"api": {
"type": "openapi",
"url": "https://api.taskmaster-ai.com/v3/openapi.yaml"
},
"logo_url": "https://taskmaster-ai.com/logo.png",
"contact_email": "support@taskmaster-ai.com",
"legal_info_url": "https://taskmaster-ai.com/legal"
},
"ja4_fingerprint": {
"hash": "ja4_abcdef1234567890abcdef1234567890",
"tls_version": "TLS 1.3",
"cipher_suites": [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384"
],
"extensions": [
"supported_versions",
"key_share",
"signature_algorithms"
],
"ec_point_formats": ["uncompressed"],
"server_info": {
"host": "api.taskmaster-ai.com",
"ip_range": ["203.0.113.0/24"],
"cert_issuer": "Let's Encrypt",
"cert_expiry": "2026-10-15"
}
},
"history": [
{
"date": "2026-07-15",
"change": "Updated OpenAPI spec v2.0 -> v3.0"
},
{
"date": "2026-06-01",
"change": "New JA4 fingerprint detected - server migration"
}
]
}Running a fingerprint scan from your terminal:
$ python fingerprint-scanner.py --plugin-url "https://weather-plugin.example.com/.well-known/ai-plugin.json"
[2026-07-20 14:32:11] π Scanning: weather-plugin
[2026-07-20 14:32:11] β Manifest fetched (2.3KB)
[2026-07-20 14:32:11] β JA4 fingerprint captured: ja4_9876fedcba0987654321
[2026-07-20 14:32:11] β TLS version: TLS 1.3
[2026-07-20 14:32:11] β Cipher: TLS_AES_256_GCM_SHA384
[2026-07-20 14:32:11] β Certificate valid until: 2027-01-15
[2026-07-20 14:32:11] β No changes since last scan (2026-07-19)
[2026-07-20 14:32:11] π Results saved to: archives/2026-07-20/plugins/weather-reports/
# Batch scan mode
$ python batch-scanner.sh --file plugin-list.txt --output /tmp/scan-results
[2026-07-20 14:35:00] Starting batch scan of 250 plugins...
[2026-07-20 14:35:03] β 250/250 scanned
[2026-07-20 14:35:03] β 2 plugin updates detected
[2026-07-20 14:35:03] β 3 new plugins discovered
[2026-07-20 14:35:03] β 1 plugin offline (HTTP 404)| Operating System | Python Scripts | Bash Tools | Manual Browse | JA4 Capture |
|---|---|---|---|---|
 |
β Full | β Full | ||
 |
β Full | β Full | β Full | β Full |
 |
β Full | β Full | β Full | β Full |
 |
β N/A | β (via browser) | β | |
 |
β | β | β (via Safari) | β |
- Real-time Change Detection: Our automated scanner detects manifest updates within 24 hours
- Fingerprint Clustering: Group plugins by shared infrastructure (same JA4 hash = same server)
- Historical Diff Viewer: See exactly what changed between plugin versions
- CVE Correlation: Cross-reference fingerprint changes with known vulnerabilities
- Export to MISP: Share threat intelligence with security communities
- Personal Plugin Watchlist: Monitor your favorite plugins for unauthorized changes
- RESTful API Access: Query the archive programmatically (separate endpoint)
- GraphQL Support: Efficient data retrieval for complex queries
- Desktop Client: Native app for macOS, Windows, and Linux
- Browser Extension: One-click fingerprint capture from Chrome and Firefox
Our archive data can be queried using OpenAI-compatible endpoints, allowing ChatGPT itself to analyze plugin fingerprints:
# Example: Ask ChatGPT about a suspicious plugin
response = openai.ChatCompletion.create(
model="gpt-4",
messages=[
{"role": "system", "content": "You have access to plugin fingerprint archive."},
{"role": "user", "content": "Is 'Super Productivity Pro' using the same server as 'TaskMaster AI'? Use fingerprint data."}
]
)Anthropic's Claude can also access our archive through Function Calling:
# Example: Claude verifies plugin authenticity
response = anthropic.ChatCompletion.create(
model="claude-3-opus-2026",
messages=[
{"role": "user", "content": "Check if plugin 'WeatherWizard' has changed its TLS fingerprint since last month."}
],
tools=[{
"name": "query_fingerprint_archive",
"description": "Search plugin fingerprint database",
"parameters": {
"plugin_name": "WeatherWizard",
"date_range": "2026-06-01 to 2026-07-01"
}
}]
)Unlike traditional data archives that feel like browsing a spreadsheet from 1995, our repository is built with a responsive, mobile-first design philosophy:
- Adaptive Layouts: The same data renders beautifully on a 27-inch monitor and a 6-inch phone screen
- Lazy Loading: Plugin profiles load incrementally, prioritizing the most critical data (manifest + JA4 hash)
- Offline Support: Service workers cache recently viewed plugins for offline analysis
- Dark Mode: Automatic theme switching based on system preferences
- Accessibility: WCAG 2.1 AA compliant β screen reader friendly, keyboard navigable
- Search Performance: Client-side fuzzy search handles 15,000+ records in under 50ms
| Language | Interface | Plugin Descriptions | Reports |
|---|---|---|---|
| English | β Native | β (original) | β Full |
| Chinese (Simplified) | β | ||
| Spanish | β | β Weekly | |
| German | β Manual | β | |
| French | β Manual | β | |
| Japanese | β Manual | β | |
| Korean | β | β |
We use machine translation for plugin descriptions, with community-reviewed corrections. Want to contribute a translation? See our Contributing Guidelines.
Because plugin ecosystems don't sleep, neither does our support system:
- Automated Monitoring Bot: @FingerprintGuardian on Discord and Telegram β notifies you when watched plugins change
- Intelligent FAQ: GPT-4 powered FAQ that answers 80% of questions instantly
- Human Backup: Core team available in European and US time zones (response within 4 hours)
- Emergency Hotline: For security-critical findings (e.g., plugin hijacking detection), ping us on Signal
- Knowledge Base: Detailed guides on interpreting JA4 fingerprints, setting up your own scanner, and contributing reports
We welcome contributions from:
- Security researchers analyzing plugin ecosystems
- Developers who want their plugins fingerprinted correctly
- Curious users who notice inconsistencies
- Translators wanting to expand language support
How to contribute:
- Fork this repository
- Add or update plugin profiles following our schema
- Submit a pull request with detailed change notes
- Our automated validator checks JSON schema and fingerprint format
We follow the Contributor Covenant code of conduct.
This project is licensed under the MIT License β see the LICENSE file for details.
The MIT License allows you to:
- β Use this archive for commercial and non-commercial purposes
- β Modify the data and tools freely
- β Distribute copies with proper attribution
- β We do NOT claim ownership of the original plugin manifests β they belong to their respective developers
Important Legal and Ethical Notice
- Data Source: Plugin manifests are publicly available
.well-knownendpoints. We do not access private APIs or user data. - Accuracy: JA4 fingerprints are collected at specific moments and may change. Always verify critical findings directly.
- No Affiliation: This project is not affiliated with OpenAI, Anthropic, or any plugin developer. It is an independent archival effort.
- Fair Use: We archive manifests for security research and ecosystem analysis purposes. If you are a plugin developer and want your data removed, please open an issue.
- Not Legal Advice: The fingerprinting techniques described are for educational and research purposes. Consult legal counsel before deploying similar systems in production.
The information in this repository is provided "as is" without warranty of any kind. Use at your own risk.
Plugin Fingerprint Archive: Because in the digital ecosystem, identity is everything β and fingerprints don't lie.
Last updated: July 2026