{"skill":{"slug":"openclaw-skill-bitwarden","displayName":"Openclaw Skill Bitwarden","summary":"Bitwarden & Vaultwarden password manager integration. Use when storing, retrieving, generating, or managing passwords and credentials. Wraps the Bitwarden CL...","description":"---\nname: bitwarden-vaultwarden\ndescription: Bitwarden & Vaultwarden password manager integration. Use when storing, retrieving, generating, or managing passwords and credentials. Wraps the Bitwarden CLI (bw) with automatic session management. Works with both official Bitwarden and self-hosted Vaultwarden servers.\nhomepage: https://github.com/TWhidden/openclaw-skill-bitwarden\nmetadata:\n  clawdbot:\n    emoji: \"🔐\"\n    requires:\n      env: [\"BW_SERVER\", \"BW_EMAIL\", \"BW_MASTER_PASSWORD\"]\n      primaryEnv: \"BW_SERVER\"\n      bins: [\"bw\", \"python3\"]\n      pythonPkgs: [\"cryptography\", \"requests\"]\n      files: [\"bw.sh\"]\n---\n\n# Bitwarden & Vaultwarden\n\nBitwarden/Vaultwarden CLI (`bw`) wrapper with automatic login, session caching, and convenient commands. Works seamlessly with both official Bitwarden (vault.bitwarden.com) and self-hosted Vaultwarden instances.\n\n## Requirements\n\n- Bitwarden CLI (`bw`) installed: `npm install -g @bitwarden/cli`\n- A Bitwarden or Vaultwarden server instance\n- Credentials configured (see Configuration below)\n\n## Configuration\n\nSet credentials via environment variables or a credentials file:\n\n```bash\n# Environment variables (preferred)\nexport BW_SERVER=\"https://vault.bitwarden.com\"  # Official Bitwarden\n# OR\nexport BW_SERVER=\"https://your-vaultwarden-instance.example.com\"  # Vaultwarden\nexport BW_EMAIL=\"your-email@example.com\"\nexport BW_MASTER_PASSWORD=\"your-master-password\"\n\n# Or use a credentials file (default: secrets/bitwarden.env)\nexport CREDS_FILE=\"/path/to/your/bitwarden.env\"\n```\n\nThe credentials file should contain:\n\n```\nBW_SERVER=https://vault.bitwarden.com\nBW_EMAIL=your-email@example.com\nBW_MASTER_PASSWORD=your-master-password\n```\n\n## Invocation\n\n```bash\nbash skills/bitwarden/bw.sh <command> [args...]\n```\n\n## Commands\n\n| Command | Description | Example |\n|---------|-------------|---------|\n| `register [email] [pass] [name]` | Register new account | `bw.sh register user@example.com pass123 \"My Name\"` |\n| `login` | Login & unlock vault | `bw.sh login` |\n| `status` | Show vault status | `bw.sh status` |\n| `list [search]` | List/search items | `bw.sh list github` |\n| `get <name\\|id>` | Get full item JSON | `bw.sh get \"GitHub\"` |\n| `get-password <name\\|id>` | Get password only | `bw.sh get-password \"GitHub\"` |\n| `get-username <name\\|id>` | Get username only | `bw.sh get-username \"GitHub\"` |\n| `create <name> <user> <pass> [uri] [notes]` | Create login | `bw.sh create \"GitHub\" user pass https://github.com` |\n| `generate [length]` | Generate password | `bw.sh generate 32` |\n| `delete <id>` | Delete item | `bw.sh delete <uuid>` |\n| `lock` | Lock vault | `bw.sh lock` |\n\n## Workflow\n\n1. First call per session: `bw.sh login` (auto-authenticates from configured credentials)\n2. Session token cached at `/tmp/.bw_session`\n3. All subsequent commands auto-use the cached session\n4. After reboot/restart: run `login` again\n\n## Storing New Credentials\n\n```bash\n# Generate + store\nPASS=$(bash skills/bitwarden/bw.sh generate 32)\nbash skills/bitwarden/bw.sh create \"New Service\" \"user@email.com\" \"$PASS\" \"https://service.com\"\n```\n\n## Account Registration\n\nRegister a new account on your Bitwarden/Vaultwarden server directly from the CLI:\n\n```bash\n# Register using configured credentials (from env/credentials file)\nbash skills/bitwarden/bw.sh register\n\n# Register with explicit credentials\nbash skills/bitwarden/bw.sh register \"user@example.com\" \"SecurePass123!\" \"Display Name\"\n```\n\n**How it works:**\n- Derives a master key using PBKDF2-SHA256 (600,000 iterations) with the email as salt\n- Creates a master password hash for server authentication\n- Generates a 64-byte symmetric key, encrypted with AES-256-CBC + HMAC-SHA256\n- Submits registration to the server's `/api/accounts/register` endpoint\n\n**Requirements:** Python 3 with `cryptography` and `requests` packages.\n\n**Note:** The master password must be at least 12 characters. Works with both official Bitwarden and Vaultwarden servers.\n\n## Guardrails\n\n- Never paste secrets into logs, chat, or code.\n- Keep `bitwarden.env` out of version control.\n- Use `chmod 600` on credential files.\n- Session tokens are stored in `/tmp` and cleared on lock/logout.\n\n## External Endpoints\n\n| Endpoint | Purpose | Data Sent |\n|----------|---------|-----------|\n| User-configured BW_SERVER | Bitwarden/Vaultwarden API | Encrypted vault data, authentication credentials |\n\n**Note:** The skill communicates with the Bitwarden server you configure via `BW_SERVER`. For official Bitwarden, this is `https://vault.bitwarden.com`. For Vaultwarden, this is your self-hosted instance URL.\n\n## Security & Privacy\n\n**What leaves your machine:**\n- Authentication requests (email, master password) to your configured Bitwarden server\n- Encrypted vault data (create/read/update/delete operations)\n- All communication uses HTTPS/TLS\n\n**What stays local:**\n- Session tokens (cached in `/tmp/.bw_session`)\n- Credential files (if using `bitwarden.env`)\n- Decrypted passwords (only in memory, never written to disk)\n\n**Trust statement:**\nBy using this skill, you are sending authentication credentials and vault data to the Bitwarden server you configure. Only install this skill if you trust your Bitwarden/Vaultwarden instance.\n\n## Model Invocation\n\nThis skill can be invoked autonomously by your OpenClaw agent when it needs to:\n- Store credentials securely\n- Retrieve passwords for automation tasks\n- Generate secure passwords\n\nIf you prefer manual approval before password operations, configure your OpenClaw agent's tool policy accordingly.\n\n## Security Best Practices\n\n1. **Credentials file:** Use `chmod 600` on `secrets/bitwarden.env`\n2. **Environment isolation:** Don't share credential files across systems\n3. **Session tokens:** Automatically expire; run `bw.sh lock` when done\n4. **Git:** The `.gitignore` excludes all secrets (`secrets/`, `*.env`, `.bw_session`)\n5. **Master password:** Never hardcode or log your master password\n","tags":{"latest":"1.0.3"},"stats":{"comments":0,"downloads":197,"installsAllTime":7,"installsCurrent":0,"stars":0,"versions":1},"createdAt":1771428136376,"updatedAt":1778491574637},"latestVersion":{"version":"1.0.3","createdAt":1771428136376,"changelog":"- Adds a detailed SKILL.md guide for Bitwarden & Vaultwarden password manager integration.\n- Documents environment variable and credentials file setup for configuration.\n- Lists all available CLI commands and usage examples.\n- Explains security practices, data flow, and session token handling.\n- Includes registration workflow and technical requirements for both Bitwarden and Vaultwarden.","license":null},"metadata":{"setup":[{"key":"BW_SERVER","required":true},{"key":"BW_EMAIL","required":true},{"key":"BW_MASTER_PASSWORD","required":true}],"os":null,"systems":null},"owner":{"handle":"twhidden","userId":"s17dr5w2mbewxth6rgn5n0yt9d885ans","displayName":"Travis Whidden","image":"https://avatars.githubusercontent.com/u/9921122?v=4"},"moderation":null}