Distributed AI Agent Workflows with CLIO
CLIO's remote execution capability allows you to run AI-powered tasks on remote systems via SSH. This transforms CLIO from a local development assistant into a distributed orchestration platform.
- Execute AI tasks on remote systems - Run CLIO with any task on any SSH-accessible machine
- Auto-authentication - GitHub Copilot tokens are securely forwarded (never written to disk)
- Automatic setup - CLIO downloads and configures itself on the remote system
- Clean execution - Temporary files are automatically cleaned up after execution
- Result retrieval - Capture output and optionally retrieve files from remote systems
| Use Case | Description |
|---|---|
| System Analysis | Gather diagnostics, hardware info, and logs from remote servers |
| Distributed Builds | Compile code on systems with specific hardware/architecture |
| Multi-Environment Testing | Run tests across different OS/hardware configurations |
| Remote Debugging | Investigate issues on production or staging systems |
| Infrastructure Management | Audit and analyze multiple systems from one location |
| Hardware-Specific Tasks | Utilize GPU, ARM, or specialized hardware on remote systems |
The simplest way to execute a remote task:
Use remote_execution to check the disk space on myserver
CLIO will:
- SSH into the server
- Download and install CLIO temporarily
- Execute the task using your configured model
- Return the results
- Clean up automatically
- SSH Access - Password-less SSH key authentication to the remote system
- Remote Requirements:
- Perl 5.32+ installed
- curl or wget available
- ~50MB free disk space in /tmp
- GitHub Copilot (or other API provider) - For AI model access
Remote execution requires passwordless SSH authentication. CLIO will not work with password-based SSH or prompt for passphrases during execution.
- Security: Keys are more secure than passwords
- Automation: No manual password entry during execution
- Parallel Execution: Multiple simultaneous connections without password prompts
- Best Practice: Industry standard for remote automation
# Generate ed25519 key (recommended)
ssh-keygen -t ed25519 -C "your_email@example.com"
# Or RSA if ed25519 not supported
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
# When prompted:
# - Accept default location (~/.ssh/id_ed25519)
# - Optionally set a passphrase (recommended for security)Passphrase Recommendation:
- Use one - Protects your key if laptop is lost/stolen
- ssh-agent will cache it so you only enter it once per session
- CLIO will fail gracefully if passphrase needed but not in agent
# Copy your public key to remote
ssh-copy-id user@remote-host
# For non-standard port:
ssh-copy-id -p 2222 user@remote-host
# For specific key:
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote-hostThis adds your public key to ~/.ssh/authorized_keys on the remote system.
# Start ssh-agent (one-time per terminal session)
eval "$(ssh-agent -s)"
# Verify agent is running
ssh-add -lMake it persistent - Add to your shell startup file (~/.bashrc, ~/.zshrc, etc.):
# Auto-start ssh-agent
if [ -z "$SSH_AUTH_SOCK" ]; then
eval "$(ssh-agent -s)" > /dev/null
fi# Add your private key to agent
ssh-add ~/.ssh/id_ed25519
# If you set a passphrase, enter it now
# ssh-agent will remember it for the session
# Verify key is loaded
ssh-add -lYou should see output like:
256 SHA256:xxxxx... your_email@example.com (ED25519)
# Test connection (should NOT prompt for password or passphrase)
ssh user@remote-host exit
# If successful (no prompts), you're ready!CLIO automatically validates SSH setup before executing remote tasks:
✓ Checks if ssh-agent is running
✓ Verifies passwordless connection to remote
✓ Provides clear guidance if setup incomplete
Example Error:
SSH agent not running. Remote execution requires SSH agent or explicit key.
Setup guide:
1. Start ssh-agent: eval "$(ssh-agent -s)"
2. Add your key: ssh-add ~/.ssh/id_rsa (or id_ed25519)
3. Test connection: ssh user@host exit
See docs/REMOTE_EXECUTION.md for detailed setup instructions.
If you don't want to use ssh-agent, specify a key directly:
{
"operation": "execute_remote",
"host": "user@remote",
"ssh_key": "/path/to/private/key",
"command": "your task"
}Note: The key file must not have a passphrase, as CLIO cannot prompt for it.
Cause: Your public key isn't on the remote system.
Fix:
ssh-copy-id user@remote-hostCause: ssh-agent isn't running.
Fix:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519Cause: No keys loaded in agent.
Fix:
ssh-add ~/.ssh/id_ed25519Cause: Key has passphrase but isn't in ssh-agent.
Fix:
ssh-add ~/.ssh/id_ed25519
# Enter passphrase once, agent caches it# Remove passphrase (less secure but more convenient)
ssh-keygen -p -f ~/.ssh/id_ed25519
# When prompted:
# - Enter old passphrase
# - Leave new passphrase empty (press Enter twice)Warning: Removing passphrases reduces security. Better to use ssh-agent.
For multiple remote hosts:
# Copy key to all systems
ssh-copy-id user@host1
ssh-copy-id user@host2
ssh-copy-id user@host3
# Test all connections
for host in host1 host2 host3; do
echo "Testing $host..."
ssh user@$host exit && echo "✓ $host OK" || echo "✗ $host FAILED"
done-
Always use passphrases on SSH keys
- Protects key if laptop is compromised
- ssh-agent makes this painless
-
Don't share private keys
- Each person/machine should have their own key pair
- Use
ssh-copy-idto distribute public keys
-
Use ed25519 keys
- More secure and faster than RSA
- Smaller key size (256-bit vs 2048-4096 bit)
-
Restrict key permissions
chmod 600 ~/.ssh/id_ed25519 # Private key chmod 644 ~/.ssh/id_ed25519.pub # Public key
-
Use per-device keys if desired
- Create different keys for different purposes
- Add all to ssh-agent:
ssh-add ~/.ssh/key1 ~/.ssh/key2
Execute an AI-powered task on a remote system.
Parameters:
| Parameter | Required | Default | Description |
|---|---|---|---|
host |
Yes | - | SSH target (user@hostname) |
command |
Yes | - | Natural language task description |
model |
Yes | - | AI model to use (e.g., gpt-5) |
api_key |
No | Auto | API key (auto-populated from GitHub token) |
timeout |
No | 300 | Max execution time in seconds |
cleanup |
No | true | Delete CLIO after execution |
ssh_key |
No | default | Path to SSH private key |
ssh_port |
No | 22 | SSH port |
output_files |
No | [] | Files to retrieve after execution |
Example:
Execute on user@mydevice with gpt-5: analyze the system hardware and create a detailed report
Verify a remote system is ready for CLIO execution.
What it checks:
- SSH connectivity
- Perl availability
- Download tools (curl/wget)
- Disk space (minimum 50MB)
Example:
Check if server@production is ready for remote execution
Pre-stage CLIO on a remote system without executing a task. Useful for:
- Reducing latency on repeated tasks
- Preparing multiple systems in advance
- Testing installation on a new system
Manually remove CLIO from a remote system if automatic cleanup failed or was disabled.
Transfer files to/from remote systems before or after execution.
Use remote_execution on admin@webserver with gpt-5:
Create a system health report including CPU, memory, disk, and network status
Execute remotely on dev@buildserver with gpt-5:
Analyze the Python project in ~/myproject and identify potential security issues
On user@handheld with gpt-5:
1. Check what games are installed in ~/Games
2. Report disk usage by game
3. Identify the largest game and when it was last played
Remote execution on admin@server1:
List all hardware including CPU model, RAM size, disk drives, and network adapters.
Format as a markdown table.
Execute on builder@arm-device with gpt-5:
Clone https://github.com/example/project, build for ARM64, and report any compilation errors
-
API keys are never written to disk on remote systems
- For GitHub Copilot: Token is written to a temporary
github_tokens.jsonfile - File is deleted immediately after execution completes
- Even on execution failure, cleanup attempts to remove credentials
- For GitHub Copilot: Token is written to a temporary
-
Minimal configuration transfer
- Only necessary settings are sent (provider, model)
- No local history, context, or other sensitive data is transferred
-
SSH-based security
- All communication uses your existing SSH infrastructure
- No additional ports or services required
- Leverages your SSH key authentication
- Use dedicated SSH keys for remote execution if desired
- Ensure remote systems have appropriate access controls
- Review remote execution logs for sensitive data before sharing
- Use
cleanup: true(default) to ensure temporary files are removed
SSH Connection Failed
Error: SSH connection failed
- Verify SSH key authentication works:
ssh user@host echo "test" - Check if the hostname is resolvable
- Verify SSH port if non-standard
Perl Not Available
Error: Perl not available on remote
- Install Perl 5.32+ on the remote system
- Check PATH includes Perl:
ssh user@host "which perl"
Insufficient Disk Space
Error: Insufficient disk space: only XMB available in /tmp
- Clear space in /tmp on the remote system
- Use
working_dirparameter to specify alternative directory
Rsync Failed
Error: Could not transfer CLIO to remote
- Verify rsync is installed on both local and remote
- Check SSH connectivity
- Ensure sufficient disk space on remote in /tmp
For detailed debugging, run CLIO with --debug:
./clio --debugThis shows:
- SSH commands being executed
- Remote script content
- Download progress
- Execution output
sequenceDiagram
participant Local as Local CLIO
participant SSH as SSH Connection
participant Remote as Remote System
Local->>SSH: 1. Check host connectivity
SSH->>Remote: 2. Verify requirements (Perl, etc.)
Local->>SSH: 3. Rsync CLIO installation
SSH->>Remote: 4. Create minimal config
Local->>SSH: 5. Execute task command
SSH->>Remote: 6. Run CLIO with AI task
Remote-->>SSH: 7. Return output & results
SSH-->>Local: 8. Retrieve files
Local->>SSH: 9. Cleanup remote files
SSH->>Remote: 10. Delete CLIO installation
- Rsync distribution - CLIO copies itself from local to remote, ensuring version consistency without requiring internet access on the remote
- Automatic cleanup - Leaves no trace on remote systems by default
- Token forwarding - Credentials passed via environment variable, never persisted on disk
Manage named devices and groups for quick access:
/device add steam-deck deck@steamdeck.local
/device add build-server admin@build.internal --key ~/.ssh/build_key
/device group create handhelds
/device group add handhelds steam-deck
/device group add handhelds legion-go
Run the same task on multiple devices simultaneously:
Execute on all handhelds with gpt-5: report CPU architecture and available disk space
This uses execute_parallel internally, forking one process per target and aggregating results.
Devices and groups are stored in ~/.clio/devices.json.
Remote execution can be disabled:
/config set enable_remote off
When disabled, the remote_execution tool is not available to the AI agent.
{
"name": "remote_execution",
"operations": [
"execute_remote",
"execute_parallel",
"prepare_remote",
"cleanup_remote",
"check_remote",
"transfer_files",
"retrieve_files"
]
}{
"operation": "execute_remote",
"host": "user@hostname",
"command": "task description",
"model": "gpt-5",
"api_key": "auto-populated",
"api_provider": "github_copilot",
"timeout": 300,
"cleanup": true,
"ssh_key": "/path/to/key",
"ssh_port": 22,
"output_files": ["report.md", "results/"],
"working_dir": "/tmp"
}- ARCHITECTURE_REMOTE_EXECUTION.md - Technical architecture
- User Guide - Complete CLIO documentation
- SANDBOX.md - Sandbox mode (blocks remote execution)