Plugin marketplace refresh uses SSH instead of HTTPS, fails without SSH keys
Bug
When refreshing a plugin marketplace that was originally added/cloned via HTTPS, the refresh logic appears to construct an SSH URL (git@github.com:...) instead of using HTTPS, causing it to fail on machines without SSH keys configured.
Steps to Reproduce
- Add a custom plugin marketplace via
/plugininside Claude Code (no SSH keys on machine) - Marketplace clones successfully via HTTPS
- On next session or
/plugininvocation, marketplace refresh fails with:
Failed to refresh marketplace '2389-research-marketplace': Failed to clone marketplace repository: SSH authentication failed.
git@github.com: Permission denied (publickey).
Expected Behavior
Marketplace refresh should use HTTPS (matching how it was originally cloned), not SSH.
Actual Behavior
Refresh fails with SSH authentication error despite:
- The local repo having HTTPS remotes (
git remote -vshowshttps://github.com/...) git fetch originworking fine over HTTPS- The marketplace having been added without SSH keys
Root Cause
known_marketplaces.json stores the source as:
{
"source": "github",
"repo": "2389-research/claude-plugins"
}
The refresh logic likely constructs git@github.com:2389-research/claude-plugins.git from this config instead of using https://github.com/2389-research/claude-plugins.git or the existing local remote URL.
Workaround
Installed plugins continue to work from local cache — only auto-update/refresh is broken.
Environment
- macOS (Darwin 25.3.0)
- No SSH keys configured (
~/.ssh/has no.pubfiles) - Claude Code CLI
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗