use-native-credential-proxy
Use Native Credential Proxy
This skill replaces the OneCLI gateway with NanoClaw's built-in credential proxy. Containers get credentials injected via a local HTTP proxy that reads from .env — no external services needed.
Phase 1: Pre-flight
Check if already applied
Check if src/credential-proxy.ts is imported in src/index.ts:
grep "credential-proxy" src/index.ts
If it shows an import for startCredentialProxy, the native proxy is already active. Skip to Phase 3 (Setup).
Check if OneCLI is active
grep "@onecli-sh/sdk" package.json
If @onecli-sh/sdk appears, OneCLI is the active credential provider. Proceed with Phase 2 to replace it.
If neither check matches, you may be on an older version. Run /update-nanoclaw first, then retry.
Phase 2: Apply Code Changes
Ensure upstream remote
git remote -v
If upstream is missing, add it:
git remote add upstream https://github.com/qwibitai/nanoclaw.git
Merge the skill branch
git fetch upstream skill/native-credential-proxy
git merge upstream/skill/native-credential-proxy || {
git checkout --theirs pnpm-lock.yaml
git add pnpm-lock.yaml
git merge --continue
}
This merges in:
src/credential-proxy.tsandsrc/credential-proxy.test.ts(the proxy implementation)- Restored credential proxy usage in
src/index.ts,src/container-runner.ts,src/container-runtime.ts,src/config.ts - Removed
@onecli-sh/sdkdependency - Restored
CREDENTIAL_PROXY_PORTconfig (default 3001) - Restored platform-aware proxy bind address detection
- Reverted setup skill to
.env-based credential instructions
If the merge reports conflicts beyond pnpm-lock.yaml, resolve them by reading the conflicted files and understanding the intent of both sides.
Update main group CLAUDE.md
Replace the OneCLI auth reference with the native proxy:
In groups/main/CLAUDE.md, replace:
OneCLI manages credentials (including Anthropic auth) — run
onecli --help.
with:
The native credential proxy manages credentials (including Anthropic auth) via
.env— seesrc/credential-proxy.ts.
Validate code changes
pnpm install
pnpm run build
pnpm exec vitest run src/credential-proxy.test.ts src/container-runner.test.ts
All tests must pass and build must be clean before proceeding.
Phase 3: Setup Credentials
AskUserQuestion: Do you want to use your Claude subscription (Pro/Max) or an Anthropic API key?
- Claude subscription (Pro/Max) — description: "Uses your existing Claude Pro or Max subscription. You'll run
claude setup-tokenin another terminal to get your token." - Anthropic API key — description: "Pay-per-use API key from console.anthropic.com."
Subscription path
Tell the user to run claude setup-token in another terminal and copy the token it outputs. Do NOT collect the token in chat.
Once they have the token, add it to .env:
# Add to .env (create file if needed)
echo 'CLAUDE_CODE_OAUTH_TOKEN=<token>' >> .env
Note: ANTHROPIC_AUTH_TOKEN is also supported as a fallback.
API key path
Tell the user to get an API key from https://console.anthropic.com/settings/keys if they don't have one.
Add it to .env:
echo 'ANTHROPIC_API_KEY=<key>' >> .env
After either path
If the user's response happens to contain a token or key (starts with sk-ant- or looks like a token): write it to .env on their behalf using the appropriate variable name.
Optional: If the user needs a custom API endpoint, they can add ANTHROPIC_BASE_URL=<url> to .env (defaults to https://api.anthropic.com).
Phase 4: Verify
- Rebuild and restart:
pnpm run build
Then restart the service:
- macOS:
launchctl kickstart -k gui/$(id -u)/com.nanoclaw - Linux:
systemctl --user restart nanoclaw - WSL/manual: stop and re-run
bash start-nanoclaw.sh
- Check logs for successful proxy startup:
tail -20 logs/nanoclaw.log | grep "Credential proxy"
Expected: Credential proxy started with port and auth mode.
-
Send a test message in the registered chat to verify the agent responds.
-
Note: after applying this skill, the OneCLI credential steps in
/setupno longer apply..envis now the credential source.
Troubleshooting
"Credential proxy upstream error" in logs: Check that .env has a valid ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN. Verify the API is reachable: curl -s https://api.anthropic.com/v1/messages -H "x-api-key: test" | head.
Port 3001 already in use: Set CREDENTIAL_PROXY_PORT=<other port> in .env or as an environment variable.
Container can't reach proxy (Linux): The proxy binds to the docker0 bridge IP by default. If that interface doesn't exist (e.g. rootless Docker), set CREDENTIAL_PROXY_HOST=0.0.0.0 as an environment variable.
OAuth token expired (401 errors): Re-run claude setup-token in a terminal and update the token in .env.
Removal
To revert to OneCLI gateway:
- Find the merge commit:
git log --oneline --merges -5 - Revert it:
git revert <merge-commit> -m 1(undoes the skill branch merge, keeps your other changes) pnpm install(re-adds@onecli-sh/sdk)pnpm run build- Follow
/setupstep 4 to configure OneCLI credentials - Remove
ANTHROPIC_API_KEY/CLAUDE_CODE_OAUTH_TOKENfrom.env
More from qwibitai/nanoclaw
debug
Debug container agent issues. Use when things aren't working, container fails, authentication problems, or to understand how the container system works. Covers logs, environment variables, mounts, and common issues.
20add-telegram
Add Telegram channel integration via Chat SDK.
13add-whatsapp
Add WhatsApp channel via native Baileys adapter. Direct connection — no Chat SDK bridge. Uses QR code or pairing code for authentication.
12update-nanoclaw
Efficiently bring upstream NanoClaw updates into a customized install, with preview, selective cherry-pick, and low token usage.
11customize
Add new capabilities or modify NanoClaw behavior. Use when user wants to add channels (Telegram, Slack, email input), change triggers, add integrations, modify the router, or make any other customizations. This is an interactive skill that asks questions to understand what the user wants.
10qodo-pr-resolver
Review and resolve PR issues with Qodo - get AI-powered code review issues and fix them interactively (GitHub, GitLab, Bitbucket, Azure DevOps)
10