indigoai-us/hq-cowork-cli
core/packages/hq-pack-cowork/skills/hq-cowork-cli/SKILL.md
Use long-tail HQ CLI functionality from Cowork via the host-side guarded `mcp__hq__hq_cli` tool and schema-driven `mcp__hq__hq_run` tool. Covers HQ commands not yet modeled as dedicated MCP tools while blocking browser/session flows and secret-value output.
$ install --global
skillsauthnpx skillsauth add indigoai-us/hq-core hq-cowork-cliInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 3:12 AM133.2s1 file scanned
SKILL.md
- name:
- hq-cowork-cli
- description:
- Use long-tail HQ CLI functionality from Cowork via the host-side guarded `mcp__hq__hq_cli` tool and schema-driven `mcp__hq__hq_run` tool. Covers HQ commands not yet modeled as dedicated MCP tools while blocking browser/session flows and secret-value output.
- allowed-tools:
- mcp__hq__hq_cli, mcp__hq__hq_run, mcp__hq__hq_whoami
/hq-cowork-cli — Long-tail HQ from Cowork
Use this when Cowork needs an HQ capability that does not have a dedicated
hq-cowork-* skill yet.
Prefer dedicated tools first:
- Search:
/hq-cowork-search - Sync:
/hq-cowork-sync - Files/share:
/hq-cowork-files,/hq-cowork-share - Secrets:
/hq-cowork-secrets - Meetings/sources/signals:
/hq-cowork-meetings
mcp__hq__hq_cli
Runs hq <args...> on the host. Pass argv, not a shell string.
{
"args": ["sync", "status"],
"cwd": ".",
"timeoutMs": 60000
}
The tool blocks:
hq login,hq logout,hq onboard- browser/session auth flows other than
hq auth statusandhq auth refresh - secret-value output (
hq secrets env,hq secrets get --reveal) - raw
hq secrets set|execandhq runthrough the escape hatch
Use mcp__hq__hq_run for hq run.
mcp__hq__hq_run
Runs schema-driven commands with HQ secrets injected via .env.schema.
Secret values stay in the child process env; only command output returns.
{
"cwd": "repos/private/example-app",
"company": "indigo",
"schema": ".env.schema",
"cmd": ["npm", "test"],
"timeoutMs": 120000
}
For validation only:
{
"cwd": "repos/private/example-app",
"check": true
}
Rules
- Never ask the user to paste secrets inline.
- Never use the escape hatch for secret-value retrieval.
- Keep
cwdinside the HQ root. The MCP server enforces this. - For destructive or cloud-provisioning commands, explain the concrete effect before calling the tool.
Related Skills
indigoai-us/hq-cowork
tools
VerifiedTrustedCommunity
Discovery + dispatch entry point for native HQ inside Cowork (or any sandboxed Claude Code plugin host). Enumerates every HQ capability available through hq-pack-cowork's host-side MCP server (identity, sync, qmd/search, secrets, vault files, team & membership, packages & modules, meeting intelligence, feedback, schema-backed runs, guarded long-tail CLI) and routes to the right `mcp__hq__*` tool while preserving default HQ behavior through a different transport. Use when the agent needs HQ but `hq`/`qmd` aren't reachable from its bash sandbox and isn't sure which tool to call.
39SKILL.mdUpdated Jun 4, 2026
indigoai-us/hq-cowork-sync
tools
VerifiedTrustedCommunity
Run a full HQ sync (all cloud-backed companies, bidirectional) from a sandboxed Claude Code plugin host (Cowork) by calling the host-side `hq_sync` MCP tool. Same engine as AppBar HQ Sync and the `/hq-sync` skill, but routed through the hq-pack-cowork MCP server so it works even when the `hq` binary and `~/.hq` auth are not reachable from the agent's bash sandbox.
39SKILL.mdUpdated Jun 4, 2026
indigoai-us/hq-cowork-share
tools
VerifiedTrustedCommunity
Share an HQ vault path from a sandboxed Claude Code plugin host (Cowork) by calling the host-side `hq_share` MCP tool. Without `--with`, mints an encrypted single-use share-session URL (default 15-min expiry). With `--with`, grants direct ACL access to a person, group, or `@all`. Same capability as `/hq-share`, routed through hq-pack-cowork's MCP server so it works from a sandboxed agent.
39SKILL.mdUpdated Jun 4, 2026
indigoai-us/core/packages/hq-pack-cowork/skills/hq-cowork-secrets
tools
VerifiedTrustedCommunity
--- name: hq-cowork-secrets description: Use HQ secrets from a sandboxed Claude Code plugin host (Cowork). The host-side MCP server never returns a secret value itself: `mcp__hq__hq_secrets_exec` runs a command on the host with named secrets injected as env vars (only the command's output returns), and refuses to launch a shell or value-printing binary; `mcp__hq__hq_secrets_list` lists secret NAMES/metadata only. These tools run host commands with the user's privileges, so treat them as host-tru
39SKILL.mdUpdated Jun 4, 2026