Side Peace
Scanned@BitBrujo
npx machina-cli add skill @BitBrujo/side-peace --openclawSide_Peace š
Dead simple secret handoff from human to AI. No npm packages to trust ā just Node.js built-ins.
Key security feature: Secret is written to a temp file, NEVER printed to stdout. This prevents secrets from appearing in chat logs or command output.
How It Works
- Agent runs
node drop.js --label "API Key" - Agent shares the URL with human
- Human opens URL in browser, pastes secret, submits
- Secret is saved to temp file (printed path only, not content)
- Agent reads file, uses secret, deletes file
Usage
# Basic - secret saved to random temp file
node skills/side-peace/drop.js --label "CLAWHUB_TOKEN"
# Custom output path
node skills/side-peace/drop.js --label "API_KEY" --output /tmp/my-secret.txt
# Custom port
node skills/side-peace/drop.js --port 4000 --label "TOKEN"
Reading the Secret
After receiving, the secret is in the temp file:
# Read and use (example with clawhub)
SECRET=$(cat /tmp/side-peace-xxx.secret)
npx clawhub login --token "$SECRET" --no-browser
rm /tmp/side-peace-xxx.secret
Or one-liner:
cat /tmp/side-peace-xxx.secret | xargs -I{} npx clawhub login --token {} --no-browser; rm /tmp/side-peace-xxx.secret
Security
- Zero dependencies ā only Node.js built-ins
- Secret never in stdout ā written to file with 0600 permissions
- Memory only until saved ā temp file deleted after use
- One-time ā server exits after receiving
- ~60 lines ā fully auditable
Output
š Side_Peace waiting...
Label: CLAWHUB_TOKEN
Output: /tmp/side-peace-a1b2c3d4.secret
Local: http://localhost:3000
Network: http://192.168.1.94:3000
Waiting for secret...
ā Secret received and saved.
File: /tmp/side-peace-a1b2c3d4.secret
(Secret is NOT printed to stdout for security)
The secret is in the file. Read it, use it, delete it.
Overview
Side Peace enables a minimal secret handoff from a human to an AI agent using only Node.js built-ins. The secret is written to a temporary file and never printed to stdout, preventing leakage into logs or chat outputs. The server is ephemeral and deletes the secret after use.
How This Skill Works
The agent starts a small Node.js server (drop.js) that accepts a secret via a browser form. It writes the secret to a temporary file and prints only the file path. The agent then reads the secret from that file, uses it, and deletes the file, ensuring the secret never appears in stdout or logs.
When to Use It
- Securely transfer an API key or token to an AI agent without leaking it to stdout or logs.
- Share secrets in a private, local network by submitting through a browser form.
- Operate in zero-dependency environments, since it uses only Node.js built-ins.
- Perform a one-time secret handoff where the server exits after receipt.
- Maintain audit-friendly flows where secrets must not appear in chat output or command stdout.
Quick Start
- Step 1: Run the drop server with a label, e.g., node skills/side-peace/drop.js --label "API_KEY"
- Step 2: Open the shown Local/Network URL in a browser and paste the secret.
- Step 3: Let the agent read the secret from the temp file and delete it after use.
Best Practices
- Use a descriptive, unique label (e.g., --label "API_KEY") to identify the secret.
- Keep the host secure; the secret is stored in a temp file with restricted access.
- Review the generated output path (when provided) to verify where the secret is stored without exposing contents.
- Delete the temp file immediately after use to minimize exposure.
- Prefer the one-time, ephemeral server flow to reduce attack surface.
Example Use Cases
- Injecting an API key into an AI agent during integration testing without exposing it in logs.
- Supplying a private token to a CLI workflow by posting it through the browser form.
- Delivering a temporary OAuth token to an automation agent in a local development environment.
- Handing a secret to a ClawHub-style workflow where stdout must remain clean.
- Storing the secret in a custom path (e.g., /tmp/my-secret.txt) before consumption.
