indigoai-us/hq-cowork-share
core/packages/hq-pack-cowork/skills/hq-cowork-share/SKILL.md
Share an HQ vault path from a sandboxed Claude Code plugin host (Cowork) by calling the host-side `hq_share` MCP tool. Without `--with`, mints an encrypted single-use share-session URL (default 15-min expiry). With `--with`, grants direct ACL access to a person, group, or `@all`. Same capability as `/hq-share`, routed through hq-pack-cowork's MCP server so it works from a sandboxed agent.
$ install --global
skillsauthnpx skillsauth add indigoai-us/hq-core hq-cowork-shareInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 3:13 AM122.1s1 file scanned
SKILL.md
- name:
- hq-cowork-share
- description:
- Share an HQ vault path from a sandboxed Claude Code plugin host (Cowork) by calling the host-side `hq_share` MCP tool. Without `--with`, mints an encrypted single-use share-session URL (default 15-min expiry). With `--with`, grants direct ACL access to a person, group, or `@all`. Same capability as `/hq-share`, routed through hq-pack-cowork's MCP server so it works from a sandboxed agent.
- allowed-tools:
- mcp__hq__hq_share
/hq-cowork-share — Share an HQ vault path from a sandboxed agent
Mints share-session URLs and grants ACLs on HQ vault paths from inside
Cowork (or any sandboxed Claude Code plugin host). Equivalent to the
unprefixed /hq-share skill, but routed through the host-side MCP server
because the sandboxed agent cannot run the hq CLI directly.
Args: $ARGUMENTS — required path + optional flags.
| Arg | Meaning |
|---|---|
| <path> (positional) | Vault path or prefix to share (e.g. companies/foo/knowledge/x.md). Required. |
| --with <principal> | Email, group id, or @all. Omit to mint a share-session URL instead. |
| --permission read\|write | Permission level (only meaningful with --with). |
| --expires 15m\|1h\|24h | Token expiry for share-session URL (default 15m, max 24h). |
When to use this instead of /hq-share
- You're in Cowork or another sandboxed plugin host — the regular
/hq-shareskill shells out tohq files shareon the host, which isn't reachable from the sandbox. - You want the MCP tool-call surface — observable in the host's tool log.
On a normal host-side Claude Code session, prefer the unprefixed /hq-share.
What you do
Step 1 — Parse args
Extract the positional <path> and any optional flags. Without a path,
ask the user which vault prefix to share.
Step 2 — Call the tool
Call mcp__hq__hq_share with:
{
"path": "<path>",
"with": "<principal>", // omit if not set
"permission": "read|write", // omit if not set
"expires": "15m|1h|24h" // omit to use default 15m
}
Step 3 — Surface output
The minting turn is the ONE surface where the unredacted share-session URL is permitted in chat. Print it as a clickable markdown link so the user can copy it.
Hard rule (carried over from core/policies/hq-share-session-urls-are-capabilities.md):
After this turn, NEVER paste the URL back into later turns, summaries,
journals, handoffs, commits, PRs, Slack/email, or any persisted context.
Refer to it as https://hq.{co}.com/share-session/<TOKEN_REDACTED> from
then on. The token IS a capability — anyone who holds it can use the share.
If --with was used (direct grant, not URL), there's no token to print —
just confirm the grant landed and surface any error from the tool.
Why this skill exists
hq files share runs on the host with the user's Cognito session and the
local sync index — neither of which is visible from inside Cowork's Linux
VM. The host-side MCP server in hq-pack-cowork runs the real hq files share, then returns its output back to the sandboxed agent. This skill is
the in-session adapter.
Related Skills
indigoai-us/hq-cowork
tools
VerifiedTrustedCommunity
Discovery + dispatch entry point for native HQ inside Cowork (or any sandboxed Claude Code plugin host). Enumerates every HQ capability available through hq-pack-cowork's host-side MCP server (identity, sync, qmd/search, secrets, vault files, team & membership, packages & modules, meeting intelligence, feedback, schema-backed runs, guarded long-tail CLI) and routes to the right `mcp__hq__*` tool while preserving default HQ behavior through a different transport. Use when the agent needs HQ but `hq`/`qmd` aren't reachable from its bash sandbox and isn't sure which tool to call.
39SKILL.mdUpdated Jun 4, 2026
indigoai-us/hq-cowork-sync
tools
VerifiedTrustedCommunity
Run a full HQ sync (all cloud-backed companies, bidirectional) from a sandboxed Claude Code plugin host (Cowork) by calling the host-side `hq_sync` MCP tool. Same engine as AppBar HQ Sync and the `/hq-sync` skill, but routed through the hq-pack-cowork MCP server so it works even when the `hq` binary and `~/.hq` auth are not reachable from the agent's bash sandbox.
39SKILL.mdUpdated Jun 4, 2026
indigoai-us/core/packages/hq-pack-cowork/skills/hq-cowork-secrets
tools
VerifiedTrustedCommunity
--- name: hq-cowork-secrets description: Use HQ secrets from a sandboxed Claude Code plugin host (Cowork). The host-side MCP server never returns a secret value itself: `mcp__hq__hq_secrets_exec` runs a command on the host with named secrets injected as env vars (only the command's output returns), and refuses to launch a shell or value-printing binary; `mcp__hq__hq_secrets_list` lists secret NAMES/metadata only. These tools run host commands with the user's privileges, so treat them as host-tru
39SKILL.mdUpdated Jun 4, 2026
indigoai-us/core/packages/hq-pack-cowork/skills/hq-cowork-search
tools
VerifiedTrustedCommunity
--- name: hq-cowork-search description: Hybrid full-text + semantic search across HQ content (policies, skills, knowledge, workers, projects, per-company collections) from a sandboxed Claude Code plugin host (Cowork). Calls the host-side `hq_search` MCP tool, which wraps `qmd query` (hybrid: expansion + RRF + rerank — the recommended search mode). Use when the agent needs to find HQ content but `qmd` isn't reachable from its bash sandbox. allowed-tools: mcp__hq__hq_search --- # /hq-cowork-searc
39SKILL.mdUpdated Jun 4, 2026