This skill should be used when the user asks to "receive a secret", "get a shared secret", "download encrypted file", "fetch secret from link", "retrieve secret URL", "save this secret", "grab this secret", "get this file from URL", "download from trycloudflare", "get credentials from URL", "receive encrypted", "save secret to file", "fetch from this link", or provides a send-secret URL (URLs containing trycloudflare.com/s/ and
From send-secretnpx claudepluginhub b-open-io/claude-plugins --plugin send-secretThis skill is limited to using the following tools:
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Implements structured self-debugging workflow for AI agent failures: capture errors, diagnose patterns like loops or context overflow, apply contained recoveries, and generate introspection reports.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Receive P2P encrypted secrets from send-secret links. Secrets are decrypted and saved directly to files, keeping sensitive content out of the agent's context.
Critical constraint: The agent must NEVER display or read received secret content.
| Action | Safe | Reason |
|---|---|---|
send-secret -r "url" -o ./file.txt | Yes | Saves to file, agent sees only path |
send-secret -r "url" | NO | Text secrets display in terminal |
Read on saved file | NO | Would load secret into context |
cat saved file | NO | Would display secret to agent |
Key insight: Without -o, text secrets display in terminal. The -o flag requires a specific filename, not a directory path.
send-secret URLs have this pattern:
https://<random>.trycloudflare.com/s/<id>#key=<64-hex-chars>
Example:
https://abc-xyz-123.trycloudflare.com/s/k7m2p#key=9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
The #key=... fragment is essential - it contains the 256-bit decryption key.
# Save to specific file (REQUIRED - must be a filename, not directory)
npx send-secret -r "<url>" -o ./received-secret.txt
# Save with descriptive filename
npx send-secret -r "<url>" -o ./credentials.json
# Save to subdirectory (create dir first, then specify full path)
mkdir -p ./secrets && npx send-secret -r "<url>" -o ./secrets/received.txt
# Alternative syntax
npx send-secret receive "<url>" -o ./secret.txt
Important: The -o flag requires a specific filename. Using a directory path like -o ./ or -o ./secrets/ will fail with "EISDIR: illegal operation on a directory".
Always quote the URL - it contains special characters (#, =).
./received-secret.txtmkdir -p ./secrets/-o <filename> (must be a file path, not directory)Successful receive shows:
◐ Fetching secret...
✔ Secret retrieved
✔ File saved. View with:
cat "/Users/you/project/credentials.json"
Extract the file path from the output. Report this path to the user. Never execute the suggested cat command.
For text secrets (no filename):
◐ Fetching secret...
✔ Secret retrieved
✔ Saved to ./received-secret.txt
| Secret Type | Without -o | With -o |
|---|---|---|
| File | Saves to ~/.send-secret/received/ with timestamp | Saves to specified path |
| Text | Displays in terminal (UNSAFE) | Saves to specified file |
Always use -o to maintain control and prevent accidental exposure.
| Error | Cause | Resolution |
|---|---|---|
| "EISDIR: illegal operation on a directory" | -o path is a directory, not file | Use specific filename like -o ./secret.txt |
| "This secret has already been viewed" | Single-use link consumed | Request new link from sender |
| "Failed to fetch: 530" | Sender closed terminal/tunnel expired | Ask sender to reshare |
| "Missing decryption key in URL" | URL truncated, missing #key= | Get complete URL |
| "Invalid decryption key format" | Key corrupted or incomplete | Verify full 64 hex chars |
| Connection refused/timeout | Sender closed terminal | Ask sender to reshare |
| "Failed to fetch: 404" | Invalid secret ID | Verify URL is correct |
User: "Can you get this secret? https://abc.trycloudflare.com/s/xyz#key=abc123..."
npx send-secret -r "https://abc.trycloudflare.com/s/xyz#key=abc123..." -o ./received-secret.txt
Response: "Secret received and saved to ./received-secret.txt"
User: "Download this to credentials.json: [url]"
npx send-secret -r "[url]" -o ./credentials.json
Response: "Secret received and saved to ./credentials.json"
User: "Download this to my secrets folder: [url]"
mkdir -p ./secrets && npx send-secret -r "[url]" -o ./secrets/received.txt
Response: "Secret received and saved to ./secrets/received.txt"
# NEVER use a directory path with -o (causes EISDIR error)
npx send-secret -r "url" -o ./ # WRONG: ./ is a directory
npx send-secret -r "url" -o ./secrets/ # WRONG: ./secrets/ is a directory
# NEVER omit -o for text secrets
npx send-secret -r "url" # WRONG: may display in terminal
# NEVER read the saved file
cat ./received-secret.json # WRONG: exposes content
Read ./received-secret.json # WRONG: loads into context
# NEVER store URL in variable then expand
url="https://..." && npx send-secret -r $url # May break on special chars
# NEVER commit received secret files to git
git add ./received-secret.txt # WRONG: exposes secret in repo history
git add . # WRONG: may include secret files
Do not commit secret files. After receiving, remind the user:
.gitignore if it should stay in the projectgit add . which may accidentally include secrets