[FEATURE] Support GITHUB_TOKEN / GIT_ASKPASS for plugin marketplace git operations
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
claude plugin marketplace add cannot clone private GitHub
repositories in environments that rely on external credential
helpers (e.g., GIT_ASKPASS, GITHUB_TOKEN, GH_TOKEN).
The CLI spawns its own git clone subprocess, but does not pass
through standard git authentication environment variables. This
means that even though git clone works correctly in the user's
terminal (via credential helpers), the same operation fails when
triggered by claude plugin marketplace add.
Reproduction
In an environment where git HTTPS authentication is provided via
GIT_ASKPASS:
This works — git respects GIT_ASKPASS
git clone https://github.com/my-org/my-private-marketplace.git
✓ Cloning into 'my-private-marketplace'...
This fails — claude CLI does not pass GIT_ASKPASS to its git
subprocess
claude plugin marketplace add
https://github.com/my-org/my-private-marketplace
✘ HTTPS authentication failed. Please ensure your credential
helper is configured
Setting GITHUB_TOKEN also doesn't work
GITHUB_TOKEN=ghp_xxx claude plugin marketplace add
https://github.com/my-org/my-private-marketplace
✘ HTTPS authentication failed.
Workaround
Pre-clone the repo manually, then point the marketplace at the
local path:
git clone https://github.com/my-org/my-private-marketplace.git \
~/.claude/plugins/marketplaces/my-marketplace
claude plugin marketplace add
~/.claude/plugins/marketplaces/my-marketplace
claude plugin install my-plugin
This works but requires additional scripting and means claude
plugin marketplace update won't be able to pull new changes (same
auth issue).
Embedding token in URL — security concern
Embedding a token directly in the URL does work:
claude plugin marketplace add "https://x-access-token:${TOKEN}@gi
thub.com/my-org/my-marketplace"
However, the CLI stores the full token in plaintext in
~/.claude/settings.json:
```{
"extraKnownMarketplaces": {
"my-marketplace": {
"source": {
"source": "git",
"url": "https://x-access-token:ghp_XXXX@github.com/my-org
/my-marketplace.git"
}
}
}
}
This is a security risk — tokens persisted on disk can be leaked
via backups, dotfile syncing, or compromised environments.
---
### Proposed Solution
Support standard git authentication mechanisms in the CLI's git
operations:
1. Inherit GIT_ASKPASS — pass through the existing GIT_ASKPASS
environment variable to the git subprocess. This is how many
CI/CD systems and remote development environments (Coder, Gitpod,
Codespaces) provide credentials.
2. Read GITHUB_TOKEN / GH_TOKEN — use these environment variables
to authenticate HTTPS clones, consistent with how gh CLI and
GitHub Actions work.
3. Inherit git credential helpers — respect the user's configured
credential.helper in their git config.
4. If token-in-URL is supported, don't persist it — redact
credentials from the stored URL in settings.json and re-resolve
them at clone/update time from environment variables.
### Alternative Solutions
_No response_
### Priority
Medium - Would be very helpful
### Feature Category
CLI commands and flags
### Use Case Example
This is particularly important for:
- Remote development environments (Coder, Gitpod, Codespaces)
where auth is provided via credential helpers, not SSH keys or gh
auth login
- CI/CD pipelines where tokens are injected as environment
variables
- Organizations distributing private plugin marketplaces to their
teams — the marketplace add + install should work with the same
auth the user already has for git
### Additional Context
Environment
- Claude Code CLI v2.1.112
- Linux (Alpine-based container)
- Git authentication provided via GIT_ASKPASS credential helper
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗