{"skill":{"slug":"gateway-env-injector","displayName":"Gateway Env Injector","summary":"Safely inject API keys from 1Password into macOS LaunchAgent plists using PlistBuddy. Use when running OpenClaw on macOS and storing secrets in 1Password — a...","description":"---\nname: gateway-env-injector\nversion: 1.0.0\ndescription: Safely inject API keys from 1Password into macOS LaunchAgent plists using PlistBuddy. Use when running OpenClaw on macOS and storing secrets in 1Password — avoids plaintext keys on disk while keeping LaunchAgent env vars populated. Requires 1Password CLI (op).\nmetadata:\n  {\"openclaw\": {\"emoji\": \"🔐\", \"requires\": {\"bins\": [\"op\", \"bash\"], \"env\": [\"OP_SERVICE_ACCOUNT_TOKEN\"]}, \"primaryEnv\": \"OP_SERVICE_ACCOUNT_TOKEN\", \"network\": {\"outbound\": true, \"reason\": \"Reads secrets from 1Password via op CLI (1password.com). Writes locally to plist files only.\"}}}\n---\n\n# Gateway Environment Injector\n\nBake secrets from 1Password into macOS LaunchAgent plists without leaving plaintext keys on disk. Uses `op read` to fetch secrets and `/usr/libexec/PlistBuddy` to inject them directly into the plist's `EnvironmentVariables` block.\n\n## Why This Exists\n\n- `launchctl setenv` doesn't inject into a plist's own `EnvironmentVariables` block\n- Environment variables in `.zshrc` aren't available to LaunchAgents\n- Plaintext key files are a security risk\n- 1Password service accounts provide read-only, rotatable access\n\n## Usage\n\n```bash\nbash scripts/inject-gateway-env.sh\n```\n\nReads each key from 1Password, injects into the gateway plist, then restarts the service.\n\n## What It Injects\n\nConfigurable list of `op://Vault/Item/field` references mapped to environment variable names. Modify the script's `KEYS` array for your setup.\n\n## Key Lesson\n\nChanging the Node binary path (even to a symlink) can silently revoke macOS TCC permissions. Always keep the gateway plist locked to the Homebrew Cellar path, not an NVM symlink.\n\n## Files\n\n- `scripts/inject-gateway-env.sh` — Injection script with 1Password integration\n","tags":{"latest":"1.0.0"},"stats":{"comments":0,"downloads":750,"installsAllTime":1,"installsCurrent":1,"stars":0,"versions":1},"createdAt":1772823958636,"updatedAt":1779077699062},"latestVersion":{"version":"1.0.0","createdAt":1772823958636,"changelog":"Initial release of gateway-env-injector.\n\n- Injects API keys from 1Password into macOS LaunchAgent plists using PlistBuddy.\n- Prevents plaintext secrets on disk while ensuring LaunchAgents have required environment variables.\n- Requires 1Password CLI (`op`) and Bash; uses service account token from environment.\n- Customizable for your own 1Password items and desired environment variables.\n- Designed for secure OpenClaw deployments on macOS.","license":null},"metadata":{"setup":[{"key":"OP_SERVICE_ACCOUNT_TOKEN","required":true}],"os":null,"systems":null},"owner":{"handle":"nissan","userId":"s17f2fw07zktjmcgagf5c29tbd83rt7v","displayName":"Nissan Dookeran","image":"https://avatars.githubusercontent.com/u/12583?v=4"},"moderation":{"isSuspicious":false,"isMalwareBlocked":false,"verdict":"clean","reasonCodes":["review.llm_review"],"summary":"Review: review.llm_review","engineVersion":"v2.4.24","updatedAt":1780089785133}}