From nanoclaw-skills
Replaces OneCLI gateway with NanoClaw's built-in credential proxy for .env-based API key and OAuth token management in container requests without external installs.
npx claudepluginhub nanocoai/nanoclaw-skills --plugin nanoclaw-skillsThis skill uses the workspace's default tool permissions.
This skill replaces the OneCLI gateway with NanoClaw's built-in credential proxy. Containers get credentials injected via a local HTTP proxy that reads from `.env` — no external services needed.
Installs OneCLI CLI and Agent Vault gateway, configures it, and migrates .env credentials. Run after /update-nanoclaw or for first-time OneCLI setup.
Automates ClaudeClaw setup: installs dependencies, authenticates messaging channels, registers main channel, starts background services. Triggers on setup, install, configure claudeclaw, or first-time requests.
Sets up and launches a Docker devcontainer running Claude Code with --dangerously-skip-permissions for autonomous sandboxed coding without prompts. Triggers on 'yolo' or 'autonomous mode'.
Share bugs, ideas, or general feedback.
This skill replaces the OneCLI gateway with NanoClaw's built-in credential proxy. Containers get credentials injected via a local HTTP proxy that reads from .env — no external services needed.
Check if src/credential-proxy.ts is imported in src/index.ts:
grep "credential-proxy" src/index.ts
If it shows an import for startCredentialProxy, the native proxy is already active. Skip to Phase 3 (Setup).
grep "@onecli-sh/sdk" package.json
If @onecli-sh/sdk appears, OneCLI is the active credential provider. Proceed with Phase 2 to replace it.
If neither check matches, you may be on an older version. Run /update-nanoclaw first, then retry.
git remote -v
If upstream is missing, add it:
git remote add upstream https://github.com/qwibitai/nanoclaw.git
git fetch upstream skill/native-credential-proxy
git merge upstream/skill/native-credential-proxy || {
git checkout --theirs package-lock.json
git add package-lock.json
git merge --continue
}
This merges in:
src/credential-proxy.ts and src/credential-proxy.test.ts (the proxy implementation)src/index.ts, src/container-runner.ts, src/container-runtime.ts, src/config.ts@onecli-sh/sdk dependencyCREDENTIAL_PROXY_PORT config (default 3001).env-based credential instructionsIf the merge reports conflicts beyond package-lock.json, resolve them by reading the conflicted files and understanding the intent of both sides.
Replace the OneCLI auth reference with the native proxy:
In groups/main/CLAUDE.md, replace:
OneCLI manages credentials (including Anthropic auth) — run
onecli --help.
with:
The native credential proxy manages credentials (including Anthropic auth) via
.env— seesrc/credential-proxy.ts.
npm install
npm run build
npx vitest run src/credential-proxy.test.ts src/container-runner.test.ts
All tests must pass and build must be clean before proceeding.
AskUserQuestion: Do you want to use your Claude subscription (Pro/Max) or an Anthropic API key?
claude setup-token in another terminal to get your token."Tell the user to run claude setup-token in another terminal and copy the token it outputs. Do NOT collect the token in chat.
Once they have the token, add it to .env:
# Add to .env (create file if needed)
echo 'CLAUDE_CODE_OAUTH_TOKEN=<token>' >> .env
Note: ANTHROPIC_AUTH_TOKEN is also supported as a fallback.
Tell the user to get an API key from https://console.anthropic.com/settings/keys if they don't have one.
Add it to .env:
echo 'ANTHROPIC_API_KEY=<key>' >> .env
If the user's response happens to contain a token or key (starts with sk-ant- or looks like a token): write it to .env on their behalf using the appropriate variable name.
Optional: If the user needs a custom API endpoint, they can add ANTHROPIC_BASE_URL=<url> to .env (defaults to https://api.anthropic.com).
npm run build
Then restart the service:
launchctl kickstart -k gui/$(id -u)/com.nanoclawsystemctl --user restart nanoclawbash start-nanoclaw.shtail -20 logs/nanoclaw.log | grep "Credential proxy"
Expected: Credential proxy started with port and auth mode.
Send a test message in the registered chat to verify the agent responds.
Note: after applying this skill, the OneCLI credential steps in /setup no longer apply. .env is now the credential source.
"Credential proxy upstream error" in logs: Check that .env has a valid ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN. Verify the API is reachable: curl -s https://api.anthropic.com/v1/messages -H "x-api-key: test" | head.
Port 3001 already in use: Set CREDENTIAL_PROXY_PORT=<other port> in .env or as an environment variable.
Container can't reach proxy (Linux): The proxy binds to the docker0 bridge IP by default. If that interface doesn't exist (e.g. rootless Docker), set CREDENTIAL_PROXY_HOST=0.0.0.0 as an environment variable.
OAuth token expired (401 errors): Re-run claude setup-token in a terminal and update the token in .env.
To revert to OneCLI gateway:
git log --oneline --merges -5git revert <merge-commit> -m 1 (undoes the skill branch merge, keeps your other changes)npm install (re-adds @onecli-sh/sdk)npm run build/setup step 4 to configure OneCLI credentialsANTHROPIC_API_KEY / CLAUDE_CODE_OAUTH_TOKEN from .env