Our review

Sets up per-project GitHub MCP configuration with a fine-grained personal access token for accessing GitHub from Claude Code.

Strengths

Keeps tokens isolated per project, reducing security risks
Automatically adds .mcp.json to .gitignore to prevent token leaks
Guides user through token creation with minimal permissions
Provides both file-based and CLI setup methods

Limitations

Requires manual token creation and insertion by the user
Tokens expire and need periodic renewal
Only works with Claude Code's MCP system

When to use it

Use when you need to access GitHub repositories from Claude Code and want a secure, project-scoped setup.

When not to use it

Not recommended for global GitHub access or for projects that don't require GitHub operations.

Examples

Set up GitHub MCP for current project

Set up GitHub MCP for this project so I can access PRs and issues.

Create .mcp.json for GitHub

I need GitHub access from Claude Code. Please create the .mcp.json file and tell me how to configure it.

Add GitHub MCP via CLI

Add GitHub MCP to this project using the CLI method.

name: github-mcp description: Set up project-level GitHub MCP when GitHub operations (PRs, issues, repo access) are needed and no project GitHub MCP is configured. Automatically triggers when Claude detects GitHub access is required.

GitHub MCP Project Setup

This skill sets up per-project GitHub MCP configuration, keeping your GitHub Personal Access Token (PAT) isolated to specific projects rather than granting global access.

When to Use

Use this skill when:

You need to access GitHub (PRs, issues, repo content) from Claude Code
The project doesn't have GitHub MCP configured yet
You want to avoid using a global GitHub PAT

Security Notice

CRITICAL: Claude must NEVER read files that may contain tokens.

Never read .mcp.json after the user has added their token
Never read .env files or any files that might contain secrets
The user is responsible for adding their token directly to the file

Instructions for Claude

When this skill is invoked:

Step 1: Create .mcp.json with Placeholder

Write this file to the project root (creating or overwriting):

{
  "mcpServers": {
    "github": {
      "type": "http",
      "url": "https://api.githubcopilot.com/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_TOKEN_HERE"
      }
    }
  }
}

Step 2: Update .gitignore

Add .mcp.json to .gitignore if not already present:

# Check and add to .gitignore
grep -q "^\.mcp\.json$" .gitignore 2>/dev/null || echo ".mcp.json" >> .gitignore

Step 3: Guide the User

Tell the user:

Setup complete! Now you need to:

Create a Fine-Grained PAT at: https://github.com/settings/personal-access-tokens/new

Token name: "Claude Code - [project name]"

Expiration: 90 days (or as needed)

Repository access: "Only select repositories" → select just this repo

Permissions:

Contents: Read and write

Issues: Read and write

Pull requests: Read and write

Metadata: Read-only (auto-selected)

Edit .mcp.json in your project root and replace YOUR_TOKEN_HERE with your PAT

Restart Claude Code (MCP only loads on startup)

Verify with: claude mcp list

Alternative: CLI Method

If preferred, the user can run this command directly (replacing with their actual PAT):

claude mcp add-json github '{"type":"http","url":"https://api.githubcopilot.com/mcp","headers":{"Authorization":"Bearer YOUR_PAT_HERE"}}' --scope project

This stores the token directly in the project config.

Security Notes

.mcp.json is automatically added to .gitignore to prevent accidental commits
Fine-grained PATs limit access to specific repositories only
Project-level config means the token only works in this project directory
Tokens can be revoked anytime at https://github.com/settings/tokens
Claude will never read the .mcp.json file after setup to protect your token

GitHub MCP Project-Level Setup

Recommended for