← Back to Skills Marketplace
ericsantos

Confidant

by Eric Santos · GitHub ↗ · v1.5.3
cross-platform ⚠ suspicious
2422
Downloads
1
Stars
5
Active Installs
11
Versions
Install in OpenClaw
/install confidant
Description
Secure secret handoff and credential setup wizard for AI agents. Use when you need sensitive information from the user (API keys, passwords, tokens) or need...
README (SKILL.md)

Confidant

Receive secrets from humans securely — no chat exposure, no copy-paste, no history leaks.

🚨 CRITICAL FLOW — Read This First

This is a human-in-the-loop process. You CANNOT retrieve the secret yourself.

  1. Run the script → you get a secure URL
  2. SEND the URL to the user in chat ← THIS IS MANDATORY
  3. WAIT for the user to open the URL in their browser and submit the secret
  4. The script handles the rest (receives, saves to disk, confirms)
❌ DO NOT curl/fetch the secret URL yourself — it's a web form for humans
❌ DO NOT skip sharing the URL — the user MUST receive it in chat
❌ DO NOT poll the API to check if the secret arrived — the script does this
❌ DO NOT proceed without confirming the secret was received
✅ Share URL → Wait → Confirm success → Use the secret silently

🔧 Setup (once per environment)

Run this once to install the CLI globally (avoids slow npx calls):

bash {skill}/scripts/setup.sh

{skill} is the absolute path to the directory containing this SKILL.md file. Agents can resolve it at runtime:

SKILL_DIR=$(find "$HOME" -name "SKILL.md" -path "*/confidant/skill*" -exec dirname {} \; 2>/dev/null | head -1)
# Then use: bash "$SKILL_DIR/scripts/setup.sh"

⚡ Quick Start

You need an API key from the user? One command:

bash {skill}/scripts/request-secret.sh --label "OpenAI API Key" --service openai

The script handles everything:

  • ✅ Starts server if not running (or reuses existing one)
  • ✅ Creates a secure request with web form
  • ✅ Detects existing tunnels (ngrok or localtunnel)
  • ✅ Returns the URL to share with the user
  • ✅ Polls until the secret is submitted
  • ✅ Saves to ~/.config/openai/api_key (chmod 600) and exits

If the user is remote (not on the same network), add --tunnel:

bash {skill}/scripts/request-secret.sh --label "OpenAI API Key" --service openai --tunnel

This starts a localtunnel automatically (no account needed) and returns a public URL.

Output example:

🔐 Secure link created!

URL: https://gentle-pig-42.loca.lt/requests/abc123
  (tunnel: localtunnel | local: http://localhost:3000/requests/abc123)
Save to: ~/.config/openai/api_key

Share the URL above with the user. Secret expires after submission or 24h.

Share the URL → user opens it → submits the secret → script saves to disk → done.

Without --service or --save, the script still polls and prints the secret to stdout (useful for piping or manual inspection).

Scripts

request-secret.sh — Request, receive, and save a secret (recommended)

# Save to ~/.config/\x3Cservice>/api_key (convention)
bash {skill}/scripts/request-secret.sh --label "SerpAPI Key" --service serpapi

# Save to explicit path
bash {skill}/scripts/request-secret.sh --label "Token" --save ~/.credentials/token.txt

# Save + set env var
bash {skill}/scripts/request-secret.sh --label "API Key" --service openai --env OPENAI_API_KEY

# Just receive (no auto-save)
bash {skill}/scripts/request-secret.sh --label "Password"

# Remote user — start tunnel automatically
bash {skill}/scripts/request-secret.sh --label "Key" --service myapp --tunnel

# JSON output (for automation)
bash {skill}/scripts/request-secret.sh --label "Key" --service myapp --json
Flag Description
--label \x3Ctext> Description shown on the web form (required)
--service \x3Cname> Auto-save to ~/.config/\x3Cname>/api_key
--save \x3Cpath> Auto-save to explicit file path
--env \x3Cvarname> Set env var (requires --service or --save)
--tunnel Start localtunnel if no tunnel detected (for remote users)
--port \x3Cnumber> Server port (default: 3000)
--timeout \x3Csecs> Max wait for startup (default: 30)
--json Output JSON instead of human-readable text

check-server.sh — Server diagnostics (no side effects)

bash {skill}/scripts/check-server.sh
bash {skill}/scripts/check-server.sh --json

Reports server status, port, PID, and tunnel state (ngrok or localtunnel).

⏱ Long-Running Process — Use tmux

The request-secret.sh script blocks until the secret is submitted (it polls continuously). Most agent runtimes (including OpenClaw's exec tool) impose execution timeouts that will kill the process before the user has time to submit.

Always run Confidant inside a tmux session:

# 1. Start server in tmux
tmux new-session -d -s confidant
tmux send-keys -t confidant "confidant serve --port 3000" Enter

# 2. Create request in a second tmux window
tmux new-window -t confidant -n request
tmux send-keys -t confidant:request "confidant request --label 'API Key' --service openai" Enter

# 3. Share the URL with the user (read from tmux output)
tmux capture-pane -p -t confidant:request -S -30

# 4. After user submits, check the result
tmux capture-pane -p -t confidant:request -S -10

Why not exec? Agent runtimes typically kill processes after 30-60s. Since the script waits for human input (which can take minutes), it gets SIGKILL before completion. tmux keeps the process alive independently.

If your agent platform supports long-running background processes without timeouts, exec with request-secret.sh works fine. But when in doubt, use tmux.

Rules for Agents

  1. NEVER ask users to paste secrets in chat — always use this skill
  2. NEVER reveal received secrets in chat — not even partially
  3. NEVER curl the Confidant API directly — use the scripts
  4. NEVER kill an existing server to start a new one
  5. NEVER try to expose the port directly (public IP, firewall rules, etc.) — use --tunnel instead
  6. ALWAYS share the URL with the user in chat — this is the entire point of the tool
  7. ALWAYS wait for the script to finish — it polls automatically and saves/outputs the secret; do not try to retrieve it yourself
  8. Use --tunnel when the user is remote (not on the same machine/network)
  9. Prefer --service for API keys — cleanest convention
  10. After receiving: confirm success, use the secret silently

Exit Codes (Scripts)

Agents can branch on exit codes for programmatic error handling:

Code Constant Meaning
0 Success — secret received (saved to disk or printed to stdout)
1 MISSING_LABEL --label flag not provided
2 MISSING_DEPENDENCY curl, jq, npm, or confidant not installed
3 SERVER_TIMEOUT / SERVER_CRASH Server failed to start or died during startup
4 REQUEST_FAILED API returned empty URL — request not created
≠0 (from CLI) confidant request --poll failed (expired, not found, etc.)

With --json, all errors include a "code" field for programmatic branching:

{ "error": "...", "code": "MISSING_DEPENDENCY", "hint": "..." }

Example Agent Conversation

This is what the interaction should look like:

User: Can you set up my OpenAI key?
Agent: I'll create a secure link for you to submit your API key safely.
       [runs: request-secret.sh --label "OpenAI API Key" --service openai --tunnel]
Agent: Here's your secure link — open it in your browser and paste your key:
       🔐 https://gentle-pig-42.loca.lt/requests/abc123
       The link expires after you submit or after 24h.
User: Done, I submitted it.
Agent: ✅ Received and saved to ~/.config/openai/api_key. You're all set!

⚠️ Notice: the agent SENDS the URL and WAITS. It does NOT try to access the URL itself.

How It Works

  1. Script starts a Confidant server (or reuses existing one on port 3000)
  2. Creates a request via the API with a unique ID and secure web form
  3. Optionally starts a localtunnel for public access (or detects existing ngrok/localtunnel)
  4. Prints the URL — agent shares it with the user in chat
  5. Delegates polling to confidant request --poll which blocks until the secret is submitted
  6. With --service or --save: secret is saved to disk (chmod 600), then destroyed on server
  7. Without --service/--save: secret is printed to stdout, then destroyed on server

Tunnel Options

Provider Account needed How
localtunnel (default) No --tunnel flag or npx localtunnel --port 3000
ngrok Yes (free tier) Auto-detected if running on same port

The script auto-detects both. If neither is running and --tunnel is passed, it starts localtunnel.

Advanced: Direct CLI Usage

For edge cases not covered by the scripts:

# Start server only
confidant serve --port 3000 &

# Start server + create request + poll (single command)
confidant serve-request --label "Key" --service myapp

# Create request on running server
confidant request --label "Key" --service myapp

# Submit a secret (agent-to-agent)
confidant fill "\x3Curl>" --secret "\x3Cvalue>"

# Check status of a specific request
confidant get-request \x3Cid>

# Retrieve a delivered secret (by secret ID, not request ID)
confidant get \x3Csecret-id>

If confidant is not installed globally, run bash {skill}/scripts/setup.sh first, or prefix with npx @aiconnect/confidant.

⚠️ Only use direct CLI if the scripts don't cover your case.

Usage Guidance
This skill appears to implement what it claims, but exercise caution before installing or running it: - The scripts delegate the real server/secret-storage logic to an external npm package (@aiconnect/confidant) which will be downloaded/installed by npx or npm. Inspect that package's source (npm page and linked GitHub repo) before running any install commands. - setup.sh performs global npm installs. Prefer running tools in an isolated environment (container, VM) or avoid global install; consider using npx without --yes or auditing the package first. - The tool can start a public tunnel (localtunnel/ngrok). If you use --tunnel you expose a local server to the internet — only do this when you fully trust the code and the environment, and avoid sending high-value secrets over an unfamiliar tunnel provider. - SKILL.md instructs you to paste the generated URL into chat so the human can submit secrets. Remember chat logs and platform telemetry may retain that URL; treat it as sensitive and be aware of audit/logging implications. - The metadata omits several binaries the scripts call (lsof, fuser, pgrep, tmux, lt). Ensure required utilities are present before use, and audit the scripts for unexpected behavior. If you want to proceed safely: review the @aiconnect/confidant package source and npm version 1.5.3, run the tooling in an isolated sandbox, avoid global installs, and avoid using --tunnel unless necessary.
Capability Analysis
Type: OpenClaw Skill Name: confidant Version: 1.5.3 This skill is classified as suspicious due to several high-risk capabilities and potential vulnerabilities, despite its stated purpose of secure secret handling. Key indicators include the use of `npm install -g` and `npx --yes` for external packages (`@aiconnect/confidant`, `localtunnel`) in `scripts/setup.sh` and `scripts/request-secret.sh`, posing a supply chain risk. The `--tunnel` option in `scripts/request-secret.sh` exposes a local service to the public internet via `localtunnel`, significantly increasing the attack surface. Furthermore, the `--save <path>` and `--env <varname>` options in `scripts/request-secret.sh` allow writing secrets to arbitrary file paths or setting arbitrary environment variables, which could be exploited via prompt injection against the agent to write to sensitive locations or overwrite critical environment variables, even though these are presented as features.
Capability Assessment
Purpose & Capability
The name/description (secure secret handoff) aligns with what the scripts do (create a temporary web form, poll for submission, save secrets). However the skill delegates core behavior to an external CLI package (@aiconnect/confidant) that is not included in the repo; that external dependency is necessary but not shipped, so the skill's claimed capability depends on third-party code.
Instruction Scope
SKILL.md explicitly instructs agents to produce and share a human-facing URL and to run long-lived processes (tmux, server, polling). That scope is appropriate for the stated goal, but it requires the agent/human to share the URL in chat (which can create leakage if chat logs are stored) and to run long-running processes outside normal agent timeouts. The scripts themselves do not read unrelated secrets, but they rely on an external CLI to perform the actual polling and saving — that external CLI's behavior is not visible here.
Install Mechanism
There is no packaged install spec in the registry, but the scripts use npx --yes and setup.sh uses npm install -g to fetch @aiconnect/confidant and localtunnel from the public npm registry. This performs network downloads and global installs on the host (writes system-wide npm packages). The skill's own files do not include the server/CLI implementation, so runtime behavior depends on code downloaded from npm — increasing trust requirements.
Credentials
The registry metadata declares only curl, jq, and npm as required binaries, but the scripts also invoke utilities like lsof, fuser, pgrep, tmux, and optionally the lt binary — these are not listed. The skill does not request arbitrary environment credentials itself, but it will save received secrets to disk (e.g., ~/.config/<service>/api_key) or set env vars if asked. That storage behavior is central to the skill but is ultimately implemented by the external CLI.
Persistence & Privilege
The skill does not request always: true and is user-invocable. setup.sh installs npm packages globally (system-wide), which requires privileges and modifies the host environment. The skill starts background servers and can start a public tunnel (localtunnel), exposing a local port to the internet — expected for its function but higher-privilege and higher-risk than a pure in-memory helper.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install confidant
  3. After installation, invoke the skill by name or use /confidant
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.5.3
Add tmux guidance for long-running polling process — prevents SIGKILL from agent exec timeouts
v1.5.2
Fix metadata key to openclaw, add homepage and frontmatter tags (user-invocable, disable-model-invocation)
v1.5.1
Script now polls and saves secrets automatically, updated exit codes, improved flow documentation
v1.5.0
Sync with develop: critical flow guardrails, exit codes table, setup script, JSON error output, dependency checks, cleanup traps, updated CLI commands
v1.4.0
**Critical update: Enforces correct secret handoff workflow for all users and agents.** - Added clear, mandatory human-in-the-loop instructions: agents must send the generated URL to the user and wait for submission. - Clarified that agents must never access or poll secret URLs themselves. - Added an explicit "Example Agent Conversation" to show proper user/agent flow. - Updated agent rules: always share the link, never fetch secrets programmatically, and wait for user. - Improved documentation for handling remote/automatic tunnel scenarios. - Emphasized best practices and common mistakes to ensure safe, compliant secret transfer.
v1.3.1
Add agent rule: never try to expose ports directly (public IP, firewall) — use --tunnel instead
v1.3.0
Add helper scripts (request-secret.sh, check-server.sh) for better agent UX. Rewrite SKILL.md with script-first approach, optional localtunnel support (no account needed), and clear agent rules.
v1.2.0
Add --save, --service, --env flags to serve-request command for credential auto-save
v1.1.1
- Fixed skill name capitalization in documentation (now "Confidant" instead of "confidant"). - No changes to functionality or usage instructions.
v1.1.0
Add Agent-to-User and Agent-to-Agent flows
v1.0.0
Initial release - Secure secret handoff from human to AI
Metadata
Slug confidant
Version 1.5.3
License
All-time Installs 5
Active Installs 5
Total Versions 11
Frequently Asked Questions

What is Confidant?

Secure secret handoff and credential setup wizard for AI agents. Use when you need sensitive information from the user (API keys, passwords, tokens) or need... It is an AI Agent Skill for Claude Code / OpenClaw, with 2422 downloads so far.

How do I install Confidant?

Run "/install confidant" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Confidant free?

Yes, Confidant is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Confidant support?

Confidant is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Confidant?

It is built and maintained by Eric Santos (@ericsantos); the current version is v1.5.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments