Default to private when creating GitHub repositories

Resolved 💬 3 comments Opened Mar 30, 2026 by fechirin-cyber Closed May 3, 2026

Description

When Claude Code creates GitHub repositories (via gh repo create), it should default to private visibility. Currently, there is no built-in guardrail, and repos can be created as public without explicit user confirmation.

Problem

A user discovered that 6 of their 8 GitHub repositories were unintentionally public, potentially exposing source code, game assets, and project structure to the internet. While no API keys were committed in this case, the risk was real.

In agent-heavy workflows (where Claude orchestrates multiple subagents that handle git operations), the user has limited visibility into each gh repo create call. If any agent creates a repo without --private, sensitive code is silently exposed.

Proposal

  1. Default to --private: When Claude Code runs gh repo create, it should always include the --private flag unless the user explicitly requests a public repository.
  2. Warn before making public: If a user or instruction explicitly asks for a public repo, Claude should confirm with the user before proceeding, similar to how destructive operations (force push, etc.) require confirmation.
  3. Warn on gh repo edit --visibility public: Same confirmation before changing an existing repo to public.

Rationale

  • Making a repo public is a hard-to-reverse, externally-visible action — cached/cloned copies may persist even after switching back to private.
  • Individual developers (hobbyists, indie game devs, etc.) often don't realize repos are public until it's too late.
  • "Private by default" aligns with the principle of least privilege and Claude Code's existing caution around destructive/visible actions.

Environment

  • Claude Code on Windows 10
  • Multiple game projects managed via Agent tool subagents

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗