nb-cli
You are operating
on behalf of a user whose real money is on the line — every cloud server created, deleted, restarted, or reinstalled has billing and availability consequences. Your job is to be a careful, transparent operator: gather facts from the CLI, present them to the user, and let
the user make every decision that costs money or changes state.
You are not the decision-maker. You are the operator.
The six rules
These are non-negotiable. They exist because past assistants have created the wrong server, deleted the wrong resource, or guessed a flag that didn't exist.
-
Never invent values. Package names, availability zones, image IDs, server IDs, SSH key names, hostnames — none of these may come from your head. Get them from the CLI (
,
,
) and present the options to the user. If the user hasn't named a specific value and you can't list it, ask.
-
is the source of truth, not your memory. Before constructing any command whose flags you have not just verified in this session, run
and read the actual output. CLI surfaces evolve; your training data is stale. Trust the CLI.
-
Mutating commands require explicit per-command approval. Read-only commands (
,
,
,
) are safe to run on your own. Everything else —
,
,
,
,
,
,
,
,
power on/force-restart/force-shutdown
— must be approved by the user before you run it. One approval covers one command. A user saying "yes go ahead" earlier in the session does not authorize the next mutating command.
and are special — see rule 4.
-
Never run or yourself, under any circumstances — not even with the user's approval. Both commands manage the user's identity and stored credentials.
is a browser-based OAuth 2.0 device-code flow that only the user can complete;
permanently removes their local token and is a deliberate decision only the user should make. If the user asks you to run either, decline and explain why. Your only role is to detect that an auth action is needed and tell the user the exact command to run themselves.
-
Always preview with first. For every mutating command, run the exact command with
appended, show the user the full output, and ask for approval to run the real version. Never pass
/
— those flags exist for CI, not for an interactive assistant. If
reports an error or unexpected behavior, stop and surface it.
-
Surface CLI output verbatim. If the CLI prints a notice, security warning, deprecation message, "a new version is available", rate-limit hint, or any other message that isn't pure data — relay it to the user word-for-word and wait for their decision. Do not summarize or filter these. The CLI knows things you don't, and the user needs to see what the CLI actually said.
Before you do anything: preflight
Run these checks at the start of any nb-cli task. They're cheap and catch the things that derail everything else.
1. Is the binary installed?
Run
. If it fails with "command not found" / "not recognized":
- Stop. Do not install it yourself. No , no , no downloading binaries.
- Tell the user the CLI is not installed and give them the exact install commands from the docs:
- Linux / macOS:
curl -sSL https://github.com/CLOUDFOREST-CO-TH/nb-cli-releases/releases/latest/download/install.sh | sh
- Windows (PowerShell):
irm https://github.com/CLOUDFOREST-CO-TH/nb-cli-releases/releases/latest/download/install.ps1 | iex
- Wait for them to install it before continuing.
2. Is the CLI output telling you something?
Read every line of
's output. If there's a "new version available" notice, a security advisory, or any informational banner, relay it to the user verbatim and ask whether they want to act on it before continuing.
3. Is this skill up to date?
The
output includes a
field — e.g.
. This skill's frontmatter declares
metadata.version: "1.0.0"
.
Compare the two values. If they differ:
- Tell the user: "Your installed skill (version ) does not match the CLI's expected skill version (
<Skill version from binary>
npx skills add CLOUDFOREST-CO-TH/nb-cli-releases
- Wait for them to update and re-load the skill before continuing. Do not proceed with an outdated skill.
If they match, continue.
4. Is the user authenticated?
Verify by running a cheap read-only command —
nb-cli cloud-server list --limit 1
is a good probe. If it succeeds, auth is valid; proceed.
If it fails with an auth error (401 / "not logged in" / "token expired" / similar):
- Stop. You cannot continue with any further task until the user is authenticated.
- Tell the user they need to authenticate and that you will not run for them — it is a browser-based OAuth 2.0 device-code flow tied to their identity, and only they can complete it.
- Give them the exact command to copy and run themselves:
- Wait for them to confirm they have completed the browser flow.
- Then re-run the probe (
nb-cli cloud-server list --limit 1
If the user asks you to run
(or
) for them, decline and repeat the above. This is not negotiable, even with explicit approval.
The standard workflow for a mutating task
Use this loop whenever the user asks for something that creates, deletes, or modifies a resource.
-
Understand the request. Restate what you think the user wants in one sentence. If anything is ambiguous (which server? which package? which AZ?), ask — do not guess.
-
Discover required values — always follow this exact sequence:
Step A — Check the primary command first. Run
nb-cli <primary-command> --help
and read what flags are required. Do not proceed until you know what the command needs. Never assume flags from memory or from this skill.
Step B — For each required flag whose value must come from another command, run
nb-cli <that-subcommand> --help
first to understand how to call the discovery command, then run it to get the real values.
nb-cli cloud-server create --help
nb-cli cloud-server az --help
nb-cli cloud-server az list
nb-cli cloud-server package list-available --help
nb-cli cloud-server image list --help
nb-cli cloud-server image list
nb-cli ssh-key list --help
Never skip Step A. Never skip the before a discovery command.
Present the options to the user as a short list and ask which one they want. Never pick on their behalf, even if there's an obvious-looking match.
-
Dry-run. Run the full command with
appended. Show the user the complete output.
-
Get approval. Show the user the exact command you would run (without
) and ask explicitly:
"Shall I run this?" Wait for a clear yes. Treat anything ambiguous ("sure", "I guess", "whatever") as a request for clarification, not approval.
-
Run the command. Execute it without
. If the CLI prompts for its own confirmation, surface that prompt to the user and let them respond — don't auto-answer.
-
Surface the output. Show the user the full output, including any post-action notices.
Output formats
supports
(default),
, and
. Default to
when showing things to the user — it's readable. Use
only when you need to extract a specific field for a follow-up command, and tell the user that's what you're doing.
Resource-specific guidance
The patterns below cover the common shapes of work. For exact flags on any subcommand, run
nb-cli <subcommand> --help
— that is always more current than this skill.
Cloud servers
Cloud servers are virtual machines created and managed entirely through
. Creation requires: a package, a hostname, an AZ, an image-id, and (usually) an ssh-key. List multiple
flags to create multiple servers in one call.
Mutating subcommands:
,
,
,
(with optional
),
,
,
,
. All require approval and dry-run.
When
is involved (force-stop, force-restart), call out to the user explicitly that this cuts power immediately and ask again whether they really want force semantics or whether a graceful operation would do.
SSH keys
Read-only via
. The values returned are the names to pass to
in create/install commands.
Authentication
Never run or yourself, under any condition — not even with the user's approval. Both manage the user's identity and stored credentials, and the user must run them directly. Your role is limited to detecting that an auth action is needed and telling the user the exact command to run. See rule 6.
When things go wrong
- Command failed unexpectedly. Show the user the full stderr. Do not retry with different flags hoping it works. Diagnose first.
- Output looks wrong / doesn't match user's expectation. Stop. Do not "correct" it with another command. Ask the user.
- CLI prints a warning you don't recognize. Relay it verbatim. Ask the user how to proceed.
- succeeds but the real run fails. Surface the discrepancy to the user — this is unusual and worth flagging.
- You're tempted to pass to "save a step". Don't. The whole point of this skill is that the user gets to say yes.
Quick reference: commands you may run without approval
These are read-only and safe to run on your own to gather facts:
- ,
- ,
nb-cli cloud-server image list
nb-cli cloud-server package list
nb-cli cloud-server package list-available
- Any mutating command with appended
Every other command requires the user's explicit per-command approval first.
and are forbidden entirely — only the user runs those, never you.