1password Cli.Bak
by @reiy-leo
Securely access and manage secrets using 1Password CLI with a Service Account token for reading, writing, and editing items in a dedicated vault.
clawhub install 1password-cli-bakπ About This Skill
1Password CLI for Agents
This skill allows agents to securely access and manage secrets using the 1Password CLI (op) and a Service Account. It provides commands for reading, writing, and managing items within a dedicated vault.
Prerequisites
1. Install 1Password CLI:
- macOS: brew install --cask 1password-cli
- Linux/Windows: See official docs.
2. Create a Service Account:
- Go to 1Password Developer Portal.
- Create a Service Account and grant it access to a specific vault (e.g., "Agent Vault").
- Copy the Service Account Token.
3. Set Environment Variable:
- Set OP_SERVICE_ACCOUNT_TOKEN in your environment (e.g., .env file or export in shell).
- For OpenClaw, you can add OP_SERVICE_ACCOUNT_TOKEN=... to .env.
Usage
All commands require the OP_SERVICE_ACCOUNT_TOKEN to be set.
1. Check Authentication
Verify the service account is working:
op whoami
2. List Vaults
List vaults accessible to the service account:
op vault list
3. Read an Item
Get details of an item (JSON format is best for parsing):
op item get "Item Name" --vault "Vault Name" --format json
Or get a specific field (e.g., password):
op read "op://Vault Name/Item Name/password"
4. Create an Item
Create a login item:
op item create --category login --title "My Service" --url "https://example.com" --vault "Vault Name" username="myuser" password="mypassword"
Create a secure note:
op item create --category "Secure Note" --title "API Key" --vault "Vault Name" notes="my-secret-key"
5. Edit an Item
Update a password:
op item edit "Item Name" password="newpassword" --vault "Vault Name"
6. Delete an Item
op item delete "Item Name" --vault "Vault Name"
Tips for Agents
--format json to op commands for structured data that is easier to parse.OP_SERVICE_ACCOUNT_TOKEN or retrieved secrets to the console unless explicitly asked.--vault flag to avoid ambiguity.Troubleshooting
OP_SERVICE_ACCOUNT_TOKEN is set correctly.π‘ Examples
All commands require the OP_SERVICE_ACCOUNT_TOKEN to be set.
1. Check Authentication
Verify the service account is working:
op whoami
2. List Vaults
List vaults accessible to the service account:
op vault list
3. Read an Item
Get details of an item (JSON format is best for parsing):
op item get "Item Name" --vault "Vault Name" --format json
Or get a specific field (e.g., password):
op read "op://Vault Name/Item Name/password"
4. Create an Item
Create a login item:
op item create --category login --title "My Service" --url "https://example.com" --vault "Vault Name" username="myuser" password="mypassword"
Create a secure note:
op item create --category "Secure Note" --title "API Key" --vault "Vault Name" notes="my-secret-key"
5. Edit an Item
Update a password:
op item edit "Item Name" password="newpassword" --vault "Vault Name"
6. Delete an Item
op item delete "Item Name" --vault "Vault Name"
βοΈ Configuration
1. Install 1Password CLI:
- macOS: brew install --cask 1password-cli
- Linux/Windows: See official docs.
2. Create a Service Account:
- Go to 1Password Developer Portal.
- Create a Service Account and grant it access to a specific vault (e.g., "Agent Vault").
- Copy the Service Account Token.
3. Set Environment Variable:
- Set OP_SERVICE_ACCOUNT_TOKEN in your environment (e.g., .env file or export in shell).
- For OpenClaw, you can add OP_SERVICE_ACCOUNT_TOKEN=... to .env.
π Tips & Best Practices
OP_SERVICE_ACCOUNT_TOKEN is set correctly.