Marketplace plugin sync triggers YubiKey presence, undermining hardware key security model

Open 💬 8 comments Opened Jan 4, 2026 by arcaven

Summary

Claude Code's periodic marketplace plugin sync uses SSH to clone/fetch from git@github.com:anthropics/claude-plugins-official.git. For users with FIDO2/hardware security keys (YubiKey) configured for GitHub SSH authentication, this triggers unintended touch prompts every few minutes, which:

  1. Undermines the security model - Users configure YubiKey touch requirements specifically to authorize sensitive operations (like commit signing). Frequent "background noise" prompts train users to touch without thinking, defeating the purpose.
  1. Disrupts workflow - Unexpected YubiKey prompts interrupt work and cause confusion about what operation is being authorized.
  1. Creates authorization ambiguity - When a user touches their YubiKey, they should know exactly what they're authorizing. Background syncs make this impossible.

Environment

  • OS: macOS 14.x (Darwin 25.1.0)
  • Claude Code version: Latest
  • YubiKey model: YubiKey 5 Nano (OTP+FIDO+CCID mode)
  • SSH key type: sk-ssh-ed25519@openssh.com (FIDO2 resident key)

Reproduction

  1. Configure GitHub SSH access with a FIDO2 security key:

``
# ~/.ssh/config
Host github.com
IdentityFile ~/.ssh/id_ed25519_sk
``

  1. Configure git commit signing with the same key:

``
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519_sk.pub
git config --global commit.gpgsign true
``

  1. Run Claude Code normally
  1. Observe: YubiKey blinks and requests touch every few minutes during marketplace sync, even when no commits are being made

Evidence

Process list shows periodic SSH operations to GitHub:

ssh -o BatchMode=yes ... git@github.com git-upload-pack 'anthropics/claude-plugins-official.git'
git ... clone --depth 1 git@github.com:anthropics/claude-plugins-official.git

Suggested Solutions

  1. Use HTTPS instead of SSH for marketplace sync (preferred) - This avoids SSH key authentication entirely for read-only public repo access
  1. Respect GIT_SSH_COMMAND or provide config option - Allow users to specify a different SSH command/key for Claude's internal git operations
  1. Add config to disable or reduce sync frequency - claude config set plugins.marketplace.sync false or similar
  1. Batch/coalesce syncs - Instead of syncing every few minutes, sync once at startup or on explicit user request

Workaround

Users can work around this by:

  • Adding a non-SK SSH key before the SK key in ~/.ssh/config
  • Disabling marketplace plugins entirely

However, this shouldn't be necessary - Claude Code's internal operations should not trigger user-facing security prompts.

Security Consideration

This is fundamentally a security UX issue. Hardware security keys are designed around the principle that touch = explicit authorization. When background processes trigger touch prompts, users either:

  • Get annoyed and disable the security feature
  • Start touching reflexively without checking what they're authorizing

Both outcomes weaken security posture.

View original on GitHub ↗

This issue has 8 comments on GitHub. Read the full discussion on GitHub ↗