Bitwarden

Set up and use Bitwarden CLI (bw). Use when installing the CLI, unlocking vault, or reading/generating secrets via bw. Handles session management with BW_SESSION.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 3 · 1.9k · 4 current installs · 4 all-time installs

by@JimiHFord

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

Name/description, required binaries (bw, tmux), and the install spec (brew formulas for bitwarden-cli and tmux) are coherent with a Bitwarden CLI helper. Asking for tmux to persist BW_SESSION is a plausible design choice.

Instruction Scope

SKILL.md contains detailed runtime steps that reference additional files and conventions that are not present in the package: references/* docs, ./scripts/*.sh, and a 'tmux' skill for socket conventions. It also uses environment variables (CLAWDBOT_TMUX_SOCKET_DIR, NODE_EXTRA_CA_CERTS) without declaring them. The tmux capture commands can output secrets (session key or item JSON) into captured panes—this requires careful handling to avoid accidental leakage. The test workflow requires docker, docker-compose, mkcert and other artifacts that are not declared or bundled.

✓

Install Mechanism

Install spec is brew formulas for bitwarden-cli and tmux (well-known package sources). No arbitrary downloads or extract/install from untrusted URLs are present.

ℹ

Credentials

The skill does not require any declared credentials or secrets, which is appropriate. However the instructions expect BW_SESSION to be created/used, reference CLAWDBOT_TMUX_SOCKET_DIR and NODE_EXTRA_CA_CERTS, and advise running bw login/unlock (which will accept a master password or API key). Those environment variables are used but not declared; ensure you understand where session keys will be stored and that you never paste secrets into logs or chat.

✓

Persistence & Privilege

always is false and there are no code files that persistently modify agent/system settings. The skill is instruction-only and relies on ephemeral tmux sessions and environment variables; it does not request elevated/persistent privileges in the package metadata.

What to consider before installing

This skill is plausibly a Bitwarden CLI helper, but the instructions reference files and conventions that aren't bundled (references/*.md, ./scripts/*.sh) and expect extra tools (docker, mkcert) without declaring them. Before installing or using it: (1) inspect SKILL.md yourself and verify any scripts it references actually exist or are trustworthy; (2) if you test, do so in an isolated environment (not against your real vault) — the skill requires running bw login/unlock which will accept your master password or API key; (3) be cautious with the tmux socket directory (CLAWDBOT_TMUX_SOCKET_DIR) and with captured pane output because those commands can expose secrets to files/terminal history; (4) only install the brew formulas from trusted sources and avoid pasting credentials into chat or logs. If you want me to, I can list the exact lines that reference missing files and undeclared env vars or suggest a minimal safe test plan using a temporary Vaultwarden instance.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0

Download zip

latestvk97abehcg2wj11jqttmfcq7dzx809ed4

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis

Binsbw, tmux

Install

Install Bitwarden CLI (brew)

Bins: bw

brew install bitwarden-cli

Install tmux (brew)

Bins: tmux

brew install tmux

SKILL.md

Bitwarden CLI

Manage passwords and secrets via the Bitwarden CLI.

References

references/get-started.md (install + login + unlock flow)
references/cli-examples.md (real bw examples)

Workflow

Check CLI present: bw --version.
Check login status: bw status (returns JSON with status field).
If not logged in: bw login (stores API key, prompts for master password).
REQUIRED: create a fresh tmux session for all bw commands.
Unlock vault inside tmux: bw unlock (outputs session key).
Export session key: export BW_SESSION="<key>".
Verify access: bw sync then bw list items --search test.

REQUIRED tmux session

The Bitwarden CLI requires the BW_SESSION environment variable for authenticated commands. To persist the session across commands, always run bw inside a dedicated tmux session.

Example (see tmux skill for socket conventions):

SOCKET_DIR="${CLAWDBOT_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/openclaw-tmux-sockets}"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/openclaw-bw.sock"
SESSION="bw-auth-$(date +%Y%m%d-%H%M%S)"

tmux -S "$SOCKET" new -d -s "$SESSION" -n shell

# Unlock and capture session key
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- 'export BW_SESSION=$(bw unlock --raw)' Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- 'bw sync' Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- 'bw list items --search github' Enter

# Capture output
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200

# Cleanup when done
tmux -S "$SOCKET" kill-session -t "$SESSION"

Common Commands

Command	Description
`bw status`	Check login/lock status (JSON)
`bw login`	Login with email/password or API key
`bw unlock`	Unlock vault, returns session key
`bw lock`	Lock vault
`bw sync`	Sync vault with server
`bw list items`	List all items
`bw list items --search <query>`	Search items
`bw get item <id-or-name>`	Get specific item (JSON)
`bw get password <id-or-name>`	Get just the password
`bw get username <id-or-name>`	Get just the username
`bw get totp <id-or-name>`	Get TOTP code
`bw generate -ulns --length 32`	Generate password

Guardrails

Never paste secrets into logs, chat, or code.
Always use tmux to maintain BW_SESSION across commands.
Prefer bw get password over parsing full item JSON when only password needed.
If command returns "Vault is locked", re-run bw unlock inside tmux.
Do not run authenticated bw commands outside tmux; the session won't persist.
Lock vault when done: bw lock.

Testing with Vaultwarden

This skill includes a Docker Compose setup for local testing with Vaultwarden (self-hosted Bitwarden-compatible server).

Quick Start

# Install mkcert and generate local certs (one-time)
brew install mkcert
mkcert -install
cd /path/to/openclaw-bitwarden
mkdir -p certs && cd certs
mkcert localhost 127.0.0.1 ::1
cd ..

# Start Vaultwarden + Caddy
docker compose up -d

# Configure bw CLI to use local server
bw config server https://localhost:8443

# Create a test account via web UI at https://localhost:8443
# Or run the setup script:
./scripts/setup-test-account.sh

# Test the skill workflow
./scripts/test-skill-workflow.sh

Test Credentials

Server URL: https://localhost:8443
Admin Panel: https://localhost:8443/admin (token: test-admin-token-12345)
Suggested test account: test@example.com / TestPassword123!

Node.js CA Trust

The bw CLI requires the mkcert CA to be trusted. Export before running bw commands:

export NODE_EXTRA_CA_CERTS="$(mkcert -CAROOT)/rootCA.pem"

Or add to your shell profile for persistence.

Cleanup

docker compose down -v  # Remove container and data

Files

1 total

Select a file

Select a file to preview.

Comments

Loading comments…