ClawHub

Twhidden Bitwarden

v1.0.5

Bitwarden & Vaultwarden password manager integration. Use when storing, retrieving, generating, or managing passwords and credentials. Wraps the Bitwarden CL...

2· 736·2 current·2 all-time
byTravis Whidden@twhidden
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Bitwarden/Vaultwarden CLI wrapper) match the script and SKILL.md. The required binaries (bw, openssl, curl) and required env vars (BW_SERVER, BW_EMAIL, BW_MASTER_PASSWORD) are appropriate for a CLI wrapper that logs in, registers accounts, and talks to a Bitwarden-compatible server.
Instruction Scope
The SKILL.md and bw.sh stay within the stated purpose: they log in, generate passwords, create/list/edit items, and (optionally) register accounts via the configured BW_SERVER. Minor implementation notes: the script parses JSON with grep/regex (fragile but expected for a bash-only tool) and implements registration using openssl and curl as described. The instructions and script reference CREDS_FILE and OPENCLAW_WORKSPACE as optional configuration sources; these optional env vars are reasonable but are not included in the top-level requires.env declaration in the registry metadata (see environment_proportionality).
Install Mechanism
This is instruction-only plus a bundled bash script (bw.sh). There is no remote download/install step in the skill metadata that would pull and execute arbitrary code at install time, so installation mechanism risk is low. The script does require the user to install the Bitwarden CLI separately (npm install -g @bitwarden/cli).
Credentials
The skill requires BW_SERVER, BW_EMAIL, and BW_MASTER_PASSWORD — these are highly sensitive but proportionate for an automated login to a Bitwarden/Vaultwarden instance. The script also reads optional CREDS_FILE and OPENCLAW_WORKSPACE environment variables (to locate a credentials file); those optional vars are not listed in the registry's top-level requires.env. The skill writes a session token to /tmp/.bw_session (with chmod 600), which is expected behavior but worth noting because it creates a local artifact containing an authentication token.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide agent settings. It caches a session token in /tmp/.bw_session and removes it on lock/logout, which is standard behavior for a CLI wrapper. Autonomous invocation is allowed by default (platform behavior) — consider policy if you want manual approval for password operations.
Assessment
This skill appears to do what it says: wrap the Bitwarden CLI and manage a Bitwarden/Vaultwarden account. Before installing, consider the following: 1) You will need to provide your master password (BW_MASTER_PASSWORD) — this is necessary but highly sensitive; prefer a dedicated account or minimize exposure time. 2) The script can read a credentials file (CREDS_FILE) in your OpenClaw workspace; ensure that file is protected (chmod 600) and not committed to source control. 3) The script writes a session token to /tmp/.bw_session; the script sets restrictive permissions, but you should verify your environment's /tmp policies. 4) If you want human approval before the agent stores or retrieves passwords, limit autonomous invocation via your OpenClaw tool policy. 5) If you have concerns about the packaged code, review bw.sh yourself (it's included) or obtain the skill from a trusted origin (verify the GitHub/homepage and commit history).

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔐 Clawdis
Binsbw, openssl, curl
EnvBW_SERVER, BW_EMAIL, BW_MASTER_PASSWORD
bitwardenvk9765zjhafmxxz06a56n839kp981dzx1latestvk977qbvefrnx0sn00k0g3w7s5s81egsfpassword-managervk9765zjhafmxxz06a56n839kp981dzx1securityvk9765zjhafmxxz06a56n839kp981dzx1vaultwardenvk9765zjhafmxxz06a56n839kp981dzx1
736downloads
2stars
5versions
Updated 1mo ago
v1.0.5
MIT-0
Travis Whidden@twhidden
bitwardenlatestpassword-managersecurityvaultwarden
Download

Bitwarden & Vaultwarden

Bitwarden/Vaultwarden CLI (bw) wrapper with automatic login, session caching, and convenient commands. Works seamlessly with both official Bitwarden (vault.bitwarden.com) and self-hosted Vaultwarden instances.

Requirements

  • Bitwarden CLI (bw) installed: npm install -g @bitwarden/cli
  • A Bitwarden or Vaultwarden server instance
  • Credentials configured (see Configuration below)

Configuration

Set credentials via environment variables or a credentials file:

# Environment variables (preferred)
export BW_SERVER="https://vault.bitwarden.com"  # Official Bitwarden
# OR
export BW_SERVER="https://your-vaultwarden-instance.example.com"  # Vaultwarden
export BW_EMAIL="your-email@example.com"
export BW_MASTER_PASSWORD="your-master-password"

# Or use a credentials file (default: secrets/bitwarden.env)
export CREDS_FILE="/path/to/your/bitwarden.env"

The credentials file should contain:

BW_SERVER=https://vault.bitwarden.com
BW_EMAIL=your-email@example.com
BW_MASTER_PASSWORD=your-master-password

Invocation

bash skills/bitwarden/bw.sh <command> [args...]

Commands

CommandDescriptionExample
register [email] [pass] [name]Register new accountbw.sh register user@example.com pass123 "My Name"
loginLogin & unlock vaultbw.sh login
statusShow vault statusbw.sh status
list [search]List/search itemsbw.sh list github
get <name|id>Get full item JSONbw.sh get "GitHub"
get-password <name|id>Get password onlybw.sh get-password "GitHub"
get-username <name|id>Get username onlybw.sh get-username "GitHub"
create <name> <user> <pass> [uri] [notes]Create loginbw.sh create "GitHub" user pass https://github.com
generate [length]Generate passwordbw.sh generate 32
delete <id>Delete itembw.sh delete <uuid>
lockLock vaultbw.sh lock

Workflow

  1. First call per session: bw.sh login (auto-authenticates from configured credentials)
  2. Session token cached at /tmp/.bw_session
  3. All subsequent commands auto-use the cached session
  4. After reboot/restart: run login again

Storing New Credentials

# Generate + store
PASS=$(bash skills/bitwarden/bw.sh generate 32)
bash skills/bitwarden/bw.sh create "New Service" "user@email.com" "$PASS" "https://service.com"

Account Registration

Register a new account on your Bitwarden/Vaultwarden server directly from the CLI:

# Register using configured credentials (from env/credentials file)
bash skills/bitwarden/bw.sh register

# Register with explicit credentials
bash skills/bitwarden/bw.sh register "user@example.com" "SecurePass123!" "Display Name"

How it works:

  • Derives a master key using PBKDF2-SHA256 (600,000 iterations) with the email as salt
  • Creates a master password hash for server authentication
  • Generates a 64-byte symmetric key, encrypted with AES-256-CBC + HMAC-SHA256
  • Submits registration to the server's /api/accounts/register endpoint

Requirements: OpenSSL 3.x+ (for PBKDF2 and HKDF support), curl, xxd.

Note: The master password must be at least 12 characters. Works with both official Bitwarden and Vaultwarden servers.

Guardrails

  • Never paste secrets into logs, chat, or code.
  • Keep bitwarden.env out of version control.
  • Use chmod 600 on credential files.
  • Session tokens are stored in /tmp and cleared on lock/logout.

External Endpoints

EndpointPurposeData Sent
User-configured BW_SERVERBitwarden/Vaultwarden APIEncrypted vault data, authentication credentials

Note: The skill communicates with the Bitwarden server you configure via BW_SERVER. For official Bitwarden, this is https://vault.bitwarden.com. For Vaultwarden, this is your self-hosted instance URL.

Security & Privacy

What leaves your machine:

  • Authentication requests (email, master password) to your configured Bitwarden server
  • Encrypted vault data (create/read/update/delete operations)
  • All communication uses HTTPS/TLS

What stays local:

  • Session tokens (cached in /tmp/.bw_session)
  • Credential files (if using bitwarden.env)
  • Decrypted passwords (only in memory, never written to disk)

Trust statement: By using this skill, you are sending authentication credentials and vault data to the Bitwarden server you configure. Only install this skill if you trust your Bitwarden/Vaultwarden instance.

Model Invocation

This skill can be invoked autonomously by your OpenClaw agent when it needs to:

  • Store credentials securely
  • Retrieve passwords for automation tasks
  • Generate secure passwords

If you prefer manual approval before password operations, configure your OpenClaw agent's tool policy accordingly.

Security Best Practices

  1. Credentials file: Use chmod 600 on secrets/bitwarden.env
  2. Environment isolation: Don't share credential files across systems
  3. Session tokens: Automatically expire; run bw.sh lock when done
  4. Git: The .gitignore excludes all secrets (secrets/, *.env, .bw_session)
  5. Master password: Never hardcode or log your master password

Comments

Loading comments...