Skip to content

Latest commit

 

History

History
62 lines (44 loc) · 2.95 KB

README.md

File metadata and controls

62 lines (44 loc) · 2.95 KB

gh-cli

A Claude Code plugin that intercepts GitHub URL fetches and redirects Claude to use the authenticated gh CLI instead.

Problem

Claude Code's WebFetch tool and Bash curl/wget commands don't use the user's GitHub authentication. This means:

  • Private repos: Fetches fail with 404 errors
  • Rate limits: Unauthenticated requests are limited to 60/hour (vs 5,000/hour authenticated)
  • Missing data: Some API responses are incomplete without authentication

Solution

This plugin provides:

  1. PreToolUse hooks that intercept GitHub URL access via WebFetch or curl/wget, and suggest the correct gh CLI command
  2. A gh PATH shim that blocks anti-patterns: API /contents/ fetching and non-session-scoped temp directory clones
  3. A SessionEnd hook that automatically cleans up cloned repositories when the session ends

What Gets Intercepted

Tool Pattern Suggestion
WebFetch github.com/{owner}/{repo} gh repo view owner/repo
WebFetch github.com/.../blob/... gh repo clone + Read
WebFetch github.com/.../tree/... gh repo clone + Read/Glob/Grep
WebFetch api.github.com/repos/.../pulls gh pr list / gh pr view
WebFetch api.github.com/repos/.../issues gh issue list / gh issue view
WebFetch api.github.com/... gh api <endpoint>
WebFetch raw.githubusercontent.com/... gh repo clone + Read
Bash curl https://api.github.com/... gh api <endpoint>
Bash curl https://raw.githubusercontent.com/... gh repo clone + Read
Bash wget https://github.com/... gh release download
Bash (shim) gh api repos/.../contents/... gh repo clone + Read
Bash (shim) gh repo clone ... /tmp/... (non-session-scoped) Session-scoped clone path

What Passes Through

  • Non-GitHub URLs (any domain that isn't github.com, api.github.com, raw.githubusercontent.com, or gist.github.com)
  • GitHub Pages sites (*.github.io)
  • Commands already using gh (except anti-patterns blocked by the shim; see table above)
  • Git commands (git clone, git push, etc.)
  • Search commands that mention GitHub URLs (grep, rg, etc.)

Note: When hooks deny blob/tree/raw URLs, the denial message explicitly warns against using gh api to fetch and base64-decode file contents as a fallback — clone the repo instead.

Automatic Cleanup

Cloned repositories are stored in session-scoped temp directories ($TMPDIR/gh-clones-<session-id>/). A SessionEnd hook automatically removes them when the session ends, so there's no manual cleanup needed and concurrent sessions don't interfere with each other.

Prerequisites

  • GitHub CLI (gh) must be installed and authenticated (gh auth login)
  • If gh is not installed, the hooks pass through without disruption

Installation

/plugin marketplace add trailofbits/skills
/plugin install gh-cli