Conversation
…d clone paths Add two new PreToolUse hooks: - intercept-gh-api-contents: blocks `gh api repos/.../contents/... | base64 -d` and suggests cloning instead - intercept-gh-clone-path: denies `gh repo clone` to non-session-scoped temp paths, enforcing the `$TMPDIR/gh-clones-$CLAUDE_SESSION_ID/` convention Update existing fetch/curl hooks to warn against the `gh api` contents anti-pattern in their denial messages. Update skill docs and references to discourage base64-decoding file contents via the API. Bump version 1.3.0 → 1.6.0. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Swap intercept-gh-api-contents.sh and intercept-gh-clone-path.sh (regex-matched PreToolUse hooks) for a single shims/gh wrapper prepended to PATH via a SessionStart hook. The shim receives properly tokenized $@ args, eliminating the class of regex bypass bugs identified in PR review (subshell, @base64d, compound command gaps). All /contents/ API access is now blocked unconditionally. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace hardcoded $4 clone target with arg iteration to prevent flag-based bypass (e.g., -u upstream owner/repo /tmp/bad-path) - Handle exec failure on real gh binary with error message and exit 126 - Add diagnostic message when gh not found on PATH in setup-shims.sh - Add error handling for CLAUDE_ENV_FILE write failure - Replace blocked gh api contents example in SKILL.md Quick Start - Fix incorrect --branch <sha> docs (git clone --branch requires a branch/tag name, not a commit SHA) - Rename misleading "exits silently" test names to "exits gracefully" - Add test for clone bypass with flags before target path Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove unreachable || block after exec in the gh shim (dead code since exec replaces the process). Fix shallow clone + SHA checkout guidance to note --depth 1 must be omitted. Qualify README passthrough list to account for shim interceptions. Improve anti-pattern docs and api.md Headers section. Add 4 tests: bare gh passthrough, tmp substring path, session-scoped /var/folders/, missing shims dir. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Validate shims/gh is executable in setup-shims.sh before writing PATH - Add tests: API contents with query params, long-form flags before clone target, non-executable shim file - Fix README "silently pass through" wording - Clarify shim comment on flag-value scanning behavior - Rename test for clarity on flag-preceding-target behavior Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The skill rarely triggered (~0-11% recall across eval runs) because Claude's system prompt already includes gh CLI instructions. The hooks (WebFetch/curl interception, gh shim, clone cleanup) enforce the critical behaviors regardless of skill triggering, making the skill redundant. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Sync marketplace.json description with plugin.json - Add shellcheck disable directives for bats subshell warnings - Use absolute bash path in setup-shims test to handle PATH filtering Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ID diagnostic - Curl hook: add api.github.com/repos/.../contents/ branch before generic catch-all so it suggests clone instead of gh api (which the shim would then block) - Shim: anchor /contents/ regex to ^repos/ and skip flags so jq filter values don't cause false positives - Shim: emit specific diagnostic when CLAUDE_SESSION_ID is unset instead of a self-contradicting suggestion - Curl hook: remove redundant gh/git early exits so compound commands like "curl github.com/... && gh version" are correctly denied - Tests: add coverage for all three fixes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…fetch contents gap - Fix exec failure handler in gh shim: disable set -e around exec so the error message is actually reachable, use resolved path consistently - Handle leading-slash API endpoints (gh api /repos/.../contents/...) by changing regex from ^repos/ to ^/?repos/ - Exit 1 (not 0) when CLAUDE_ENV_FILE is missing in setup-shims.sh, since this is a runtime contract violation, not graceful degradation - Add /contents/ branch to fetch hook for api.github.com URLs so WebFetch to api.github.com/repos/.../contents/ gets the clone suggestion instead of the generic gh api suggestion - Add tests for all fixes (leading slash, /private/tmp session path, CLAUDE_ENV_FILE exit code, fetch contents endpoint) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ghCLIghthat blocksgh api repos/.../contents/(forces cloning instead)using-gh-cliskill — eval testing showed ~0-11% recall because Claude's system prompt already coversghusage; the hooks enforce the critical behaviors regardless of skill triggeringTest plan
WebFetchon agithub.comURL is blocked with a helpfulghsuggestioncurl/wgeton GitHub API URLs is blocked with contextualghalternativesgh api repos/.../contents/...is blocked by the shim with clone suggestiongh repo cloneworks normally through the shimbats plugins/gh-cli/hooks/*.batsfor hook and shim tests (130/130 pass)🤖 Generated with Claude Code