Skip to main content
Automatically redirects Claude from WebFetch/curl to the authenticated gh CLI when accessing GitHub resources. Works with private repos and avoids rate limits.

Overview

Claude Code’s WebFetch tool and Bash curl/wget commands don’t use GitHub authentication. This plugin solves that by:
  1. Intercepting GitHub URL access via PreToolUse hooks
  2. Suggesting the correct gh CLI command instead
  3. Providing comprehensive gh CLI guidance via a skill
  4. Auto-cleaning cloned repositories when sessions end
Author: William Tan

Problems Solved

Private Repos

Unauthenticated fetches fail with 404 errors. gh uses your token automatically.

Rate Limits

Unauthenticated: 60 req/hr. Authenticated: 5,000 req/hr.

Incomplete Data

Some API responses require authentication to return full data.

What Gets Intercepted

ToolPatternSuggestion
WebFetchgithub.com/{owner}/{repo}gh repo view owner/repo
WebFetchgithub.com/.../blob/...gh repo clone + Read
WebFetchgithub.com/.../tree/...gh repo clone + Read/Glob/Grep
WebFetchgithub.com/.../pullsgh pr list / gh pr view
WebFetchgithub.com/.../issuesgh issue list / gh issue view
WebFetchapi.github.com/...gh api <endpoint>
WebFetchraw.githubusercontent.com/...gh repo clone + Read
Bashcurl https://api.github.com/...gh api <endpoint>
Bashcurl https://raw.githubusercontent.com/...gh repo clone + Read
Bashwget https://github.com/...gh release download

What Passes Through

  • Non-GitHub URLs (any domain that isn’t github.com, api.github.com, raw.githubusercontent.com, or gist.github.com)
  • GitHub Pages sites (*.github.io)
  • Commands already using gh
  • Git commands (git clone, git push, etc.)
  • Search commands that mention GitHub URLs (grep, rg, etc.)

Installation

1

Install GitHub CLI

If not already installed:
brew install gh
2

Authenticate

gh auth login
Follow the prompts to authenticate with your GitHub account.
3

Install Plugin

/plugin marketplace add trailofbits/skills
/plugin install gh-cli
If gh is not installed, the hooks silently pass through (no disruption to your workflow).

Browsing Repository Code

Key Principle: To read or browse files from a GitHub repo, clone it locally and use normal file tools (Read, Glob, Grep).

Clone Pattern

# Clone to session-scoped temp directory (auto-cleaned on session end)
clonedir="$TMPDIR/gh-clones-${CLAUDE_SESSION_ID}"
mkdir -p "$clonedir"
gh repo clone owner/repo "$clonedir/repo" -- --depth 1
Cloning is:
  • Faster for browsing multiple files
  • More natural - use Read, Glob, Grep like any local code
  • More efficient - one clone vs many API calls
  • Session-scoped - auto-cleaned when session ends

Using the Explore Agent

After cloning, use the Explore agent to investigate the repo: 
Task(subagent_type="Explore", prompt="In $clonedir/repo/, find how authentication is implemented")
The Explore agent can use Read, Glob, and Grep efficiently across the clone.

Automatic Cleanup

Cloned repositories are stored in session-scoped temp directories: 
$TMPDIR/gh-clones-<session-id>/
A SessionEnd hook automatically removes them when the session ends. No manual cleanup needed.

Common Usage Patterns

View Repository

gh repo view owner/repo

List and View Pull Requests

# List PRs
gh pr list --repo owner/repo

# View specific PR
gh pr view 123 --repo owner/repo

# View PR with comments
gh pr view 123 --repo owner/repo --comments

List and View Issues

# List issues
gh issue list --repo owner/repo

# View specific issue
gh issue view 456 --repo owner/repo

API Access

# Call any REST API endpoint
gh api repos/owner/repo/contents/README.md

# With pagination and jq filtering
gh api repos/owner/repo/pulls --paginate --jq '.[].title'

# GraphQL queries
gh api graphql -f query='{
  repository(owner: "owner", name: "repo") {
    issues(first: 10) {
      nodes { title }
    }
  }
}'

Download Release Assets

# Download latest release
gh release download --repo owner/repo

# Download specific release
gh release download v1.2.3 --repo owner/repo

# Download specific asset
gh release download v1.2.3 --repo owner/repo --pattern '*.tar.gz'

Reference Documentation

The skill includes comprehensive reference files:
  • pull-requests.md - List, view, create, merge, review PRs
  • issues.md - List, view, create, close, comment on issues
  • repos-and-files.md - View repos, browse files, clone
  • api.md - Raw REST/GraphQL access, pagination, jq filtering
  • releases.md - List, create, download releases
  • actions.md - View runs, trigger workflows, check logs

Usage Examples

Before (fails for private repos):
Claude uses WebFetch on github.com/myorg/private-repo/blob/main/src/auth.py
→ 404 Not Found
After (uses gh CLI):
# Hook intercepts and suggests:
clonedir="$TMPDIR/gh-clones-${CLAUDE_SESSION_ID}"
mkdir -p "$clonedir"
gh repo clone myorg/private-repo "$clonedir/private-repo" -- --depth 1

# Then use Read:
Read $clonedir/private-repo/src/auth.py

Hook Behavior

PreToolUse Hooks

The plugin includes hooks that run before WebFetch and Bash commands:
  1. Fast-fail for non-GitHub URLs - Exit immediately if URL doesn’t match GitHub patterns
  2. Parse GitHub URLs - Extract owner/repo/endpoint information
  3. Suggest gh command - Return the equivalent gh CLI command
  4. No execution blocking - Claude receives the suggestion and can choose to use it

SessionEnd Hook

Cleans up cloned repositories when the session ends: 
rm -rf "$TMPDIR/gh-clones-${CLAUDE_SESSION_ID}"
Concurrent sessions don’t interfere with each other (each has unique session ID).

Benefits

Private Repository Access

Uses your authenticated token automatically - works with all private repos you have access to.

Higher Rate Limits

5,000 requests/hour (authenticated) vs 60 requests/hour (unauthenticated).

Complete API Data

Authenticated requests return full response data, not limited public information.

No Manual Cleanup

Session-scoped temp directories are automatically removed when session ends.
  • Devcontainer Setup - GitHub CLI comes pre-installed in devcontainers
  • Second Opinion - Uses gh pr commands for code review workflows
  • Git Cleanup - Works alongside gh for branch management

Build docs developers (and LLMs) love

Get started for freeTalk to us