Side Peace

Minimal secure secret handoff. Zero external deps. Human opens browser form, submits secret, agent receives it via temp file. Secret NEVER appears in stdout/logs.

This skill is small and auditable and does what it says, but take precautions before running: (1) Prefer binding to localhost (change server.listen to '127.0.0.1' or run behind SSH port-forward) if the human and agent are on the same machine or you don't trust the LAN. (2) Do not pass secrets as plain command-line arguments (they can appear in process lists); use stdin or environment variables handled carefully. The provided one-liner using xargs will place the secret into a command argument briefly — avoid that if you care about process-list leakage. (3) Transport is plain HTTP — avoid using this on untrusted networks (MITM risk). (4) Ensure the temp file is removed promptly and the host firewall prevents unwanted access. If you need stricter guarantees, prefer a link that uses authenticated HTTPS or an out-of-band channel you control. If you want me to, I can suggest a safer invocation pattern (localhost-only or SSH tunneling) or modify the script to bind only to 127.0.0.1 and accept a token-based one-time path.

Type: OpenClaw Skill Name: side-peace Version: 1.1.1 This skill is designed for a secure, minimal secret handoff from a human to an AI agent. The `drop.js` script creates a temporary local HTTP server to receive a secret, which is then written to a temporary file with strict 0o600 permissions and never printed to stdout. The server exits after receiving the secret, ensuring it's a one-time operation. The `SKILL.md` instructions are clear, transparent, and do not contain any prompt injection attempts or directives for malicious actions. All code uses Node.js built-ins, eliminating supply chain risks. No evidence of data exfiltration, malicious execution, persistence, or obfuscation was found.