Plugin install uses SSH clone even when HTTPS URL is specified

Resolved 💬 3 comments Opened Apr 19, 2026 by jon4s4lbertt4n Closed May 26, 2026

Summary

When installing a plugin via /plugin install, the system clones via SSH even when the marketplace source uses "source": "url" with an HTTPS URL. On machines without GitHub's host key in ~/.ssh/known_hosts, this fails with:

Host key verification failed.
fatal: Could not read from remote repository.

Steps to Reproduce

  1. Fresh Windows machine (no ~/.ssh/known_hosts or missing GitHub entry)
  2. /plugin marketplace add https://github.com/owner/repo.git — succeeds
  3. /plugin install plugin-name@marketplace-name — fails with SSH error

Expected Behavior

The plugin system should either:

  • Use HTTPS for cloning when the source specifies an HTTPS URL
  • Auto-run ssh-keyscan github.com before SSH clone
  • Fall back to HTTPS when SSH clone fails

Current Workaround

Users must manually run before first install:

mkdir -p ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts 2>/dev/null

Plugins cannot fix this because the error occurs during installation, before any hooks are registered.

Environment

  • Windows 11 Pro
  • Claude Code CLI

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗