Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From sandbox-auth
ALWAYS use this FIRST — before calling ANY external service that does not have a dedicated skill — to authenticate the sandbox. Trigger this before the first request to a third-party API (Slack, Salesforce, OpenAI, Stripe, an internal service, etc.). The sandbox blocks unauthenticated egress, so calls will fail until this runs. Provide the service's probe URL (an endpoint that returns 2xx when authenticated). For GitHub use sandbox-auth:github, for Azure DevOps use sandbox-auth:azure-devops, and for Microsoft Graph use sandbox-auth:microsoft-graph. Do NOT call the target API until this reports SUCCESS.
How this skill is triggered — by the user, by Claude, or both
Slash command
/sandbox-auth:connect <probe URL, e.g. "https://api.github.com/user"><probe URL, e.g. "https://api.github.com/user">bashThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Set up authentication for an external service through the sandbox egress proxy. This is a
Set up authentication for an external service through the sandbox egress proxy. This is a prerequisite — the sandbox cannot reach a protected API until the proxy has acquired and cached a token on the user's behalf.
This skill is a thin wrapper. It only picks the probe URL and reports the result. All
handshake mechanics — the wire contract, polling through auth_pending, the human-in-the-loop
login relay, token injection, and exit-code handling — live in the sandbox-auth:egress-auth
skill. Do not reimplement them here.
Get the probe URL from $ARGUMENTS. It must be an HTTPS endpoint on the target service
that returns 2xx when authenticated. If missing or not HTTPS, ask the user for one.
Good probes:
https://api.github.com/userhttps://slack.com/api/auth.testhttps://login.salesforce.com/services/oauth2/userinfohttps://api.openai.com/v1/modelsGET.Tell the user you're setting up auth for the target host and that a browser/device-code login may be required, which you'll relay and wait for.
Invoke sandbox-auth:egress-auth — follow its "set up auth for a probe URL" procedure
with PROBE_URL = $ARGUMENTS. That skill runs the probe engine
(${CLAUDE_PLUGIN_ROOT}/scripts/sandbox-auth-fetch.py), polls internally, and relays any
[HITL_REQUIRED] login prompt. Do not write your own retry loop.
Report the SUCCESS / FAILED / TIMEOUT verdict exactly as the egress-auth exit-code table
defines. On SUCCESS, the user may make API calls to the host; the token is cached for the session.
sandbox-auth:egress-auth)egressPolicy.services rather than retrying.npx claudepluginhub gautam-achieveai/claudeplugins --plugin sandbox-authCreates bite-sized, testable implementation plans from specs or requirements, with file structure and task decomposition. Activates before coding multi-step tasks.