Claude Code v2.1.91 — MCP 500K Results, Plugin Binaries, and a New Security Toggle#
Published on April 2, 2026
Part of the Claude Code Version Tracker series. | Official Env Vars | Official Changelog
Claude Code v2.1.91 is a small release by env var count — 1 added, 2 removed — but the changelog carries the weight. MCP servers can now push up to 500K characters through tool results without truncation, plugins can ship and execute their own binaries, and a new disableSkillShellExecution setting lets organizations lock down shell access in skills. The security story here cuts both ways: tighter controls on skill execution, but a wider attack surface from plugin-bundled executables.
What Changed#
| v2.1.90 | v2.1.91 | |
|---|---|---|
| Environment variables | 213 | 212 (−1 net) |
| Model IDs | 16 | 16 |
| Feature gates | 41 | 41 |
| Dynamic configs | 29 | 29 |
| Slash commands | 24 | 24 |
New Environment Variables#
| Variable | Likely Purpose |
|---|---|
CLAUDE_CODE_ENABLE_PROMPT_SUGGESTION | Enables a prompt suggestion feature in the Claude Code UI. This likely surfaces contextual follow-up prompts or autocomplete suggestions based on the current conversation state — similar to how ChatGPT shows suggested replies. The typo predecessor CLAUDE_CODE_ENABLE_PROMPT_SUGGESTIONJ was removed in the same release, confirming a naming cleanup as the feature matures from prototype to user-facing toggle. |
Notable Changelog Features#
MCP Tool Result Persistence Override (up to 500K characters)#
MCP servers can now annotate individual tool results with _meta["anthropic/maxResultSizeChars"] to allow up to 500K characters to pass through without truncation. Previously, large results — database schemas, full API documentation, code generation output — were silently truncated at a much lower threshold, forcing MCP server authors into awkward workarounds: paginating results, writing to temp files, or splitting single logical queries into multiple calls.
The MCP server declares per-result how much data Claude Code should accept, and the client honors it up to the 500K ceiling. Rather than a global "allow large results" flag that would bloat every tool call, individual servers opt in for the results that actually need the headroom. A database introspection tool can send a full schema in one call while a simple file-search tool keeps its compact results.
For MCP server developers, this removes one of the most common friction points. For users, it means fewer "results truncated" surprises when working with data-heavy tools.
disableSkillShellExecution — Locking Down Skill Shell Access#
A new disableSkillShellExecution setting disables inline shell execution in skills, custom slash commands, and plugin commands — a significant security control for managed deployments.
Skills in Claude Code are prompt-driven capabilities — /commit, /review-pr, custom organization-defined commands — that can include shell execution as part of their workflow. In an enterprise context where skills are pushed via managed settings, the ability for a skill to execute arbitrary shell commands represents a trust boundary that administrators may want to close. A compromised or poorly written skill that shells out to curl or rm poses real risk when skills are installed organization-wide.
The setting name uses "disable" rather than "restrict" — a binary kill switch. Skills either get shell access or they don't. The right call for a security boundary: partial restrictions on shell execution are notoriously hard to enforce and easy to bypass.
Plugin Executables — bin/ Support#
Plugins can now ship executables under bin/ and invoke them as bare commands from the Bash tool — a major capability expansion. Plugins move from "prompt templates with tool access" to "full extensions that bundle their own toolchain."
A plugin could now ship a compiled linter, a schema validator, a data processor, or a format converter as a native binary — no dependency on the host system's package manager, no npm install at runtime. The binary runs in the same Bash sandbox as other tool calls, so it inherits the same permission model.
The security implications are worth noting. Plugin binaries are opaque — unlike prompt files or JavaScript, a compiled executable can't be easily audited by users or administrators before it runs. The marketplace cache resilience added in v2.1.90 (CLAUDE_CODE_PLUGIN_KEEP_MARKETPLACE_ON_FAILURE) means these binaries can persist even when the marketplace itself is unreachable. For enterprise deployments, this creates a new surface to monitor: what binaries are your installed plugins shipping, and what do they do? The disableSkillShellExecution setting doesn't cover plugin binaries invoked through the Bash tool — those are standard Bash calls, not skill shell execution. Organizations adopting plugins with bin/ directories should review what's inside them with the same rigor they'd apply to any third-party binary.
Multi-Line Deep Links — claude-cli://open?q=#
The claude-cli://open?q= URL scheme now supports multi-line prompts via encoded newlines (%0A). Previously, newlines in the query parameter were rejected, limiting deep links to single-line prompts.
Likely driven by Claude Desktop and Cowork integration — desktop applications that launch Claude Code via URL scheme can now pass structured, multi-line prompts. A deep link could include a full task description with context, code snippets, or step-by-step instructions rather than a compressed single line. For workflow automation, external tools can pre-populate Claude Code with rich prompts that would previously have required clipboard injection or temp file workarounds.
Edit Tool Token Optimization#
The Edit tool now uses shorter old_string anchors, reducing output tokens. Every Edit call requires the model to output the old_string for matching, and in large files this could waste hundreds of tokens per edit on content that exists only to locate the edit position. Shorter anchors mean faster edits and lower cost — a quiet optimization that compounds across sessions with many file modifications.
Sources#
- Claude Code Official Changelog — v2.1.91 release notes
This analysis is conducted for independent security research and interoperability purposes under fair use principles. All trademarks belong to their respective owners. The information presented here documents publicly observable behavior of installed software and is not intended to circumvent any technological protection measures, infringe on intellectual property rights, or encourage unauthorized use. Use these findings at your own discretion.
Related Versions#
- Claude Code v2.1.90 — Environment Variables — /powerup lessons, marketplace cache resilience, rate-limit loop fix
- Claude Code v2.1.88 — 7 New Environment Variables — mouse control, REPL mode, flicker-free rendering
- Claude Code v2.1.86 — 2 New Environment Variables — trusted device tokens, OAuth console override
- Claude Code v2.1.85 — 6 New Environment Variables — MCP server config, yoga-layout removal, OAuth endpoint overrides
- Claude Code v2.1.84 — 6 New Environment Variables — idle management, PowerShell tool, Bedrock parity
Related: Context Window Management Guide | Claude Code Productivity Tips | The Agentic Engineering Playbook