gh delegates to the npm github module for authentication, which sends your username and password as an HTTP header. That feels insecure.

GitHub has personal access tokens for this purpose, which is what github is creating behind-the-scenes. Can we change the prompt to ask for a token, and completely avoid potentially sending real user credentials over-the-wire?