qwibitai/onecli-gateway
container/skills/onecli-gateway/SKILL.md
OneCLI Gateway: transparent HTTPS proxy that injects stored credentials into outbound calls. You MUST use this skill when the user asks you to read emails, check calendar, access GitHub repos, create issues, check Stripe payments, or interact with ANY external service or API. Do NOT use browser extensions or OAuth CLI tools. Make HTTP requests directly; the gateway injects credentials automatically.
$ install --global
skillsauthnpx skillsauth add qwibitai/nanoclaw onecli-gatewayInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 11, 2026, 4:44 AM121.8s2 files scanned
SKILL.md
- name:
- onecli-gateway
- description:
- >-
- OneCLI Gateway:
- transparent HTTPS proxy that injects stored credentials
- compatibility:
- Requires HTTPS_PROXY set in environment (automatic when launched via `onecli run`)
- author:
- onecli
- version:
- 0.5.0
OneCLI Gateway
Your outbound HTTPS traffic is transparently proxied through the OneCLI gateway, which injects stored credentials at the proxy boundary. You never see or handle credential values directly.
How to Access External Services
You have direct HTTP access to external APIs. OAuth apps (Gmail, GitHub, Google Calendar, Google Drive, etc.) and API key services are all available through the gateway. Just make the request directly; the gateway injects credentials if the app is connected. If not, it returns an error with a connect URL you can present to the user.
Making Requests
Call the real API URL. The gateway intercepts the request and injects credentials automatically.
curl -s "https://gmail.googleapis.com/gmail/v1/users/me/messages?maxResults=5"
curl -s "https://api.github.com/user/repos?per_page=10"
curl -s "https://api.stripe.com/v1/charges?limit=5"
Standard HTTP clients (curl, fetch, requests, axios, Go net/http, git) all
honor the HTTPS_PROXY environment variable automatically. You do not need
to set any auth headers.
Credential Stubs for MCP Servers
Some MCP servers need local credential files to start. Stubs for connected
apps are pre-written automatically. Files containing "onecli-managed"
values are managed by OneCLI — do NOT modify or delete them.
If an MCP server won't start due to missing credentials, create stubs
before starting it. Use "onecli-managed" as the placeholder for all
secret values, with file permissions 0600. See the guide at:
https://www.onecli.sh/docs/guides/credential-stubs/general-app
When a Request Fails
If you get a 401, 403, or a gateway error (e.g., app_not_connected):
Step 1 — Show the user a connect link. Use the connect_url from the
error response:
To connect [service], open this link: [connect_url from the error response]
If there is no connect_url in the error, tell the user to open the
OneCLI dashboard and connect the service there.
Step 2 — Retry after the user connects. Let the user know you will retry once they have connected. When they confirm, retry the original request. If the retry still fails, ask if they need help with the setup.
Rules
- Never say "I don't have access to X" without first making the HTTP request through the proxy.
- Never use browser extensions, gcloud, or manual auth flows. The gateway handles credentials for you.
- Never ask the user for API keys or tokens directly. Direct them to connect the service in the OneCLI dashboard.
- Never suggest the user open Gmail/Calendar/GitHub in their browser when they ask you to read or interact with those services. You have API access. Use it.
- If the gateway returns a policy error (403 with a JSON body), respect the block. Do not retry or circumvent it.
Related Skills
qwibitai/whatsapp-formatting
development
VerifiedTrustedCommunity
Format messages for WhatsApp, including mentions that render as real WhatsApp tags. Use when responding in a WhatsApp conversation (platform_id / chatJid ends with @s.whatsapp.net or @g.us).
29,288SKILL.mdUpdated May 23, 2026
qwibitai/welcome
tools
VerifiedTrustedCommunity
Introduce yourself to a newly connected channel. Triggered automatically when a channel is first wired. Send a friendly greeting and brief overview of what you can do.
28,865SKILL.mdUpdated Apr 23, 2026
qwibitai/vercel-cli
tools
VerifiedTrustedCommunity
Deploy apps to Vercel. Use when asked to deploy, ship, or publish a web application, or manage Vercel projects, domains, and environment variables.
27,688SKILL.mdUpdated Apr 23, 2026
qwibitai/self-customize
tools
VerifiedTrustedCommunity
Customize your own agent — add capabilities, install packages, add MCP servers, edit code or CLAUDE.md. Use when the user asks you to add a feature, install a tool, or modify how you work. For non-trivial code changes, delegate to a builder agent via create_agent.
27,688SKILL.mdUpdated Apr 23, 2026