Marketplace plugin sync triggers YubiKey presence, undermining hardware key security model
Summary
Claude Code's periodic marketplace plugin sync uses SSH to clone/fetch from git@github.com:anthropics/claude-plugins-official.git. For users with FIDO2/hardware security keys (YubiKey) configured for GitHub SSH authentication, this triggers unintended touch prompts every few minutes, which:
- Undermines the security model - Users configure YubiKey touch requirements specifically to authorize sensitive operations (like commit signing). Frequent "background noise" prompts train users to touch without thinking, defeating the purpose.
- Disrupts workflow - Unexpected YubiKey prompts interrupt work and cause confusion about what operation is being authorized.
- Creates authorization ambiguity - When a user touches their YubiKey, they should know exactly what they're authorizing. Background syncs make this impossible.
Environment
- OS: macOS 14.x (Darwin 25.1.0)
- Claude Code version: Latest
- YubiKey model: YubiKey 5 Nano (OTP+FIDO+CCID mode)
- SSH key type:
sk-ssh-ed25519@openssh.com(FIDO2 resident key)
Reproduction
- Configure GitHub SSH access with a FIDO2 security key:
````
# ~/.ssh/config
Host github.com
IdentityFile ~/.ssh/id_ed25519_sk
- Configure git commit signing with the same key:
````
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519_sk.pub
git config --global commit.gpgsign true
- Run Claude Code normally
- Observe: YubiKey blinks and requests touch every few minutes during marketplace sync, even when no commits are being made
Evidence
Process list shows periodic SSH operations to GitHub:
ssh -o BatchMode=yes ... git@github.com git-upload-pack 'anthropics/claude-plugins-official.git'
git ... clone --depth 1 git@github.com:anthropics/claude-plugins-official.git
Suggested Solutions
- Use HTTPS instead of SSH for marketplace sync (preferred) - This avoids SSH key authentication entirely for read-only public repo access
- Respect
GIT_SSH_COMMANDor provide config option - Allow users to specify a different SSH command/key for Claude's internal git operations
- Add config to disable or reduce sync frequency -
claude config set plugins.marketplace.sync falseor similar
- Batch/coalesce syncs - Instead of syncing every few minutes, sync once at startup or on explicit user request
Workaround
Users can work around this by:
- Adding a non-SK SSH key before the SK key in
~/.ssh/config - Disabling marketplace plugins entirely
However, this shouldn't be necessary - Claude Code's internal operations should not trigger user-facing security prompts.
Security Consideration
This is fundamentally a security UX issue. Hardware security keys are designed around the principle that touch = explicit authorization. When background processes trigger touch prompts, users either:
- Get annoyed and disable the security feature
- Start touching reflexively without checking what they're authorizing
Both outcomes weaken security posture.
This issue has 8 comments on GitHub. Read the full discussion on GitHub ↗