1password
Set up and use 1Password CLI (op).
Setup & Installation
Install command
clawhub install steipete/1passwordIf the CLI is not installed:
Install command
npx clawhub@latest install steipete/1passwordOr install with OpenClaw CLI:
Install command
openclaw skills install steipete/1passwordor paste the repo link into your assistant's chat
Install command
https://github.com/openclaw/skills/tree/main/skills/steipete/1passwordWhat This Skill Does
Handles installing and configuring the 1Password CLI (op) and integrating it with the 1Password desktop app. Covers single and multi-account sign-in flows, reading vault items, and injecting secrets into processes without writing them to disk.
Using op run and op inject keeps secrets out of shell history, environment files, and logs without any extra tooling.
When to Use It
- Injecting API keys from a vault into a deploy script
- Signing into multiple 1Password accounts from the terminal
- Running commands with secrets via op run without touching disk
- Setting up 1Password CLI on a new machine
- Verifying vault access before automated secret reads
View original SKILL.md file
# 1Password CLI
Follow the official CLI get-started steps. Don't guess install commands.
## References
- `references/get-started.md` (install + app integration + sign-in flow)
- `references/cli-examples.md` (real `op` examples)
## Workflow
1. Check OS + shell.
2. Verify CLI present: `op --version`.
3. Confirm desktop app integration is enabled (per get-started) and the app is unlocked.
4. REQUIRED: create a fresh tmux session for all `op` commands (no direct `op` calls outside tmux).
5. Sign in / authorize inside tmux: `op signin` (expect app prompt).
6. Verify access inside tmux: `op whoami` (must succeed before any secret read).
7. If multiple accounts: use `--account` or `OP_ACCOUNT`.
## REQUIRED tmux session (T-Max)
The shell tool uses a fresh TTY per command. To avoid re-prompts and failures, always run `op` inside a dedicated tmux session with a fresh socket/session name.
Example (see `tmux` skill for socket conventions, do not reuse old session names):
```bash
SOCKET_DIR="${CLAWDBOT_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/clawdbot-tmux-sockets}"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/clawdbot-op.sock"
SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"
tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op signin --account my.1password.com" Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op vault list" Enter
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200
tmux -S "$SOCKET" kill-session -t "$SESSION"
```
## Guardrails
- Never paste secrets into logs, chat, or code.
- Prefer `op run` / `op inject` over writing secrets to disk.
- If sign-in without app integration is needed, use `op account add`.
- If a command returns "account is not signed in", re-run `op signin` inside tmux and authorize in the app.
- Do not run `op` outside tmux; stop and ask if tmux is unavailable.
Example Workflow
Here's how your AI assistant might use this skill in practice.
User asks: Injecting API keys from a vault into a deploy script
- 1Injecting API keys from a vault into a deploy script
- 2Signing into multiple 1Password accounts from the terminal
- 3Running commands with secrets via op run without touching disk
- 4Setting up 1Password CLI on a new machine
- 5Verifying vault access before automated secret reads
Set up and use 1Password CLI (op).
Security Audits
These signals reflect official OpenClaw status values. A Suspicious status means the skill should be used with extra caution.