indigoai-us/core/packages/hq-pack-cowork/skills/hq-cowork-secrets
core/packages/hq-pack-cowork/skills/hq-cowork-secrets/SKILL.md
--- name: hq-cowork-secrets description: Use HQ secrets from a sandboxed Claude Code plugin host (Cowork). The host-side MCP server never returns a secret value itself: `mcp__hq__hq_secrets_exec` runs a command on the host with named secrets injected as env vars (only the command's output returns), and refuses to launch a shell or value-printing binary; `mcp__hq__hq_secrets_list` lists secret NAMES/metadata only. These tools run host commands with the user's privileges, so treat them as host-tru
$ install --global
skillsauthnpx skillsauth add indigoai-us/hq-core core/packages/hq-pack-cowork/skills/hq-cowork-secretsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 3:13 AM134.3s1 file scanned
SKILL.md
- name:
- hq-cowork-secrets
- description:
- Use HQ secrets from a sandboxed Claude Code plugin host (Cowork). The host-side MCP server never returns a secret value itself: `mcp__hq__hq_secrets_exec` runs a command on the host with named secrets injected as env vars (only the command's output returns), and refuses to launch a shell or value-printing binary; `mcp__hq__hq_secrets_list` lists secret NAMES/metadata only. These tools run host commands with the user's privileges, so treat them as host-trusted, not a cryptographic boundary. Same capability as `/hq-secrets`, routed through hq-pack-cowork's host-side MCP server. The value-revealing path is deliberately unavailable.
- allowed-tools:
- mcp__hq__hq_secrets_exec, mcp__hq__hq_secrets_list
/hq-cowork-secrets — Use HQ secrets from a sandboxed agent
Runs commands with HQ secrets injected, and lists secret names, from inside
Cowork — where the hq CLI and ~/.hq vault are unreachable. Routes through
the host-side MCP server. The server never returns a secret value itself,
and the secret-injecting tool refuses to run a shell or value-printing binary
— but these tools run host commands with your privileges, so treat them as
host-trusted, not an airtight boundary.
Args: $ARGUMENTS — list (+ optional company/prefix) or exec (keys +
command). Infer from intent if not explicit.
Two modes
List names — mcp__hq__hq_secrets_list
Shows secret NAMES and path-based nested names. Values are never returned.
{ "company": "<slug>", "personal": false, "prefix": "DEV" }
Omit company to use the active company; set personal: true for the
caller's personal vault; prefix filters by path segment.
Run with secrets — mcp__hq__hq_secrets_exec
Injects named secrets as env vars of the same name into a child process and returns only the command's stdout/stderr.
{
"keys": ["STRIPE_KEY", "DB_URL"],
"cmd": ["./scripts/migrate.sh"],
"company": "<slug>",
"personal": false
}
cmd is argv (argv0 + args), NOT a shell string. The tool REFUSES to launch a
shell or a raw value-printing binary as cmd[0] (sh/bash/zsh, printenv, env,
echo, printf, cat, tee, node/python/perl/ruby, base64, xxd, strings, …) — this
is defense-in-depth so an injected one-liner can't echo an injected secret back
through the tool result. Invoke the actual consumer binary directly (e.g.
vercel, aws, gh, or a deploy script). This is not airtight: a custom
binary you control could still observe a secret it was given, so treat the tool
as host-trusted.
Security rules (hard — from HQ core)
- No value-revealing path exists by design.
hq secrets get --revealis NOT wrapped. Do not attempt to capture a value by echoing the env var. - Cross-company isolation. Pass
companyexplicitly when crossing contexts. If the scoped secret is missing or the command fails on auth, STOP and ask — never retry against a different company's vault. - Never paste secrets inline. Always consume via
hq_secrets_execinjection; never ask the user to paste a value into chat.
When to use this instead of /hq-secrets
Only inside Cowork or another sandboxed plugin host. On a host-side session,
prefer the unprefixed /hq-secrets (or hq run / hq secrets exec).
Why this skill exists
hq secrets exec reads the encrypted vault under ~/.hq with the user's
Cognito session — neither is visible from Cowork's Linux VM. The host-side
MCP server runs the real command on the host and returns only the child's
output. The server never returns a secret value itself, and refuses to run a
shell / value-printing binary — but it runs host commands with your privileges,
so it is host-trusted, not a cryptographic boundary.
Related Skills
indigoai-us/hq-cowork
tools
VerifiedTrustedCommunity
Discovery + dispatch entry point for native HQ inside Cowork (or any sandboxed Claude Code plugin host). Enumerates every HQ capability available through hq-pack-cowork's host-side MCP server (identity, sync, qmd/search, secrets, vault files, team & membership, packages & modules, meeting intelligence, feedback, schema-backed runs, guarded long-tail CLI) and routes to the right `mcp__hq__*` tool while preserving default HQ behavior through a different transport. Use when the agent needs HQ but `hq`/`qmd` aren't reachable from its bash sandbox and isn't sure which tool to call.
39SKILL.mdUpdated Jun 4, 2026
indigoai-us/hq-cowork-sync
tools
VerifiedTrustedCommunity
Run a full HQ sync (all cloud-backed companies, bidirectional) from a sandboxed Claude Code plugin host (Cowork) by calling the host-side `hq_sync` MCP tool. Same engine as AppBar HQ Sync and the `/hq-sync` skill, but routed through the hq-pack-cowork MCP server so it works even when the `hq` binary and `~/.hq` auth are not reachable from the agent's bash sandbox.
39SKILL.mdUpdated Jun 4, 2026
indigoai-us/hq-cowork-share
tools
VerifiedTrustedCommunity
Share an HQ vault path from a sandboxed Claude Code plugin host (Cowork) by calling the host-side `hq_share` MCP tool. Without `--with`, mints an encrypted single-use share-session URL (default 15-min expiry). With `--with`, grants direct ACL access to a person, group, or `@all`. Same capability as `/hq-share`, routed through hq-pack-cowork's MCP server so it works from a sandboxed agent.
39SKILL.mdUpdated Jun 4, 2026
indigoai-us/core/packages/hq-pack-cowork/skills/hq-cowork-search
tools
VerifiedTrustedCommunity
--- name: hq-cowork-search description: Hybrid full-text + semantic search across HQ content (policies, skills, knowledge, workers, projects, per-company collections) from a sandboxed Claude Code plugin host (Cowork). Calls the host-side `hq_search` MCP tool, which wraps `qmd query` (hybrid: expansion + RRF + rerank — the recommended search mode). Use when the agent needs to find HQ content but `qmd` isn't reachable from its bash sandbox. allowed-tools: mcp__hq__hq_search --- # /hq-cowork-searc
39SKILL.mdUpdated Jun 4, 2026