Plugin marketplace auto-update triggers SSH key unlock prompt on every new session (Linux/gnome-keyring)
Description
Since the plugin marketplace was introduced (~March 20, 2026), Claude Code triggers an SSH key unlock prompt (gnome-keyring) at the start of every new session in a new project directory. This is alarming to users — it looks like a potential security incident.
Root Cause (investigated)
On startup, Claude Code runs git fetch on the plugin marketplace repository:
https://github.com/anthropics/claude-plugins-official.git
→ ~/.claude/plugins/marketplaces/claude-plugins-official/
On Linux systems using gnome-keyring (Ubuntu, Pop!_OS, etc.), git's libsecret credential helper accesses the gnome-keyring wallet to look up GitHub HTTPS credentials. This causes the keyring to re-initialize its SSH agent component, which prompts for the passphrase of any SSH private key stored in the keyring — even though no SSH connection is being made.
Steps to Reproduce
- Linux system with gnome-keyring and a passphrase-protected SSH key stored in the keyring, mapped to
github.com - Start Claude Code in any new project directory
- Submit the first prompt
Expected Behavior
No SSH key prompt — the plugin update is HTTPS-only and should not involve SSH keys.
Actual Behavior
gnome-keyring prompts: _"An application wants to access the private key 'user@github.com'"_
Impact
- Alarming to users (looks like a potential security incident / prompt injection attack)
- Happened 3 times before root cause was identified
- Occurs on every new session, not just once
Environment
- OS: Pop!_OS 22.04
- gnome-keyring with SSH agent integration enabled
- SSH key for
github.comstored in keyring with passphrase
Suggested Fix
- Run the marketplace
git fetchwithGIT_TERMINAL_PROMPT=0andGIT_ASKPASS=/bin/trueto prevent credential lookups from triggering keyring access, or - Cache/embed a read-only token for the public Anthropic repo so no credential lookup is needed, or
- Add a user setting to disable or control plugin marketplace auto-update frequency
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗