Wip 1password Private

Headless plugin for 1Password secrets using service accounts, resolving op:// references, reading/writing secrets, and listing vault items via JS SDK.

Parker Todd Brooks@parkertoddbrooks

Install

openclaw skills install @parkertoddbrooks/wip-1password

wip-1password

AI plugin (Claude Code, OpenClaw) for 1Password secrets. Uses the official JavaScript SDK with service accounts for fully headless operation... no desktop app, no biometrics, no popups.

When to Use This Skill

Use wip-1password for:

Resolving op:// secret references in config files at startup
Reading API keys, tokens, and credentials from 1Password at runtime
Storing new secrets in 1Password vaults
Listing available secrets in a vault

Do NOT Use For

Managing 1Password accounts or users (use the 1Password admin console)
Accessing built-in vaults (Shared, Employee, Private). Service accounts only work with custom vaults.
Repos that don't use OpenClaw (use the op CLI directly instead)

API Reference

OpenClaw Plugin (startup resolver)

Resolves op://vault/item/field strings in openclaw.json at boot. Values exist in memory only... never written to disk.

jsonc

// In openclaw.json
"someService": {
  "apiKey": "op://Agent Secrets/Some Service/api key"
}

Agent Tools

text

op_read_secret({ item: "OpenAI API", vault: "Agent Secrets", field: "api key" })
op_list_items({ vault: "Agent Secrets" })
op_write_secret({ item: "New Key", value: "sk-...", vault: "Agent Secrets" })

Module

typescript

import { resolveSecretRefs } from "@wipcomputer/wip-1password";

const resolved = await resolveSecretRefs({
  apiKey: "op://Agent Secrets/OpenAI API/api key",
});

Setup

bash

# 1. Save service account token
mkdir -p ~/.openclaw/secrets
echo "ops_..." > ~/.openclaw/secrets/op-sa-token
chmod 600 ~/.openclaw/secrets/op-sa-token

# 2. Enable in openclaw.json
# plugins.entries.op-secrets.enabled = true
# plugins.entries.op-secrets.config.defaultVault = "Agent Secrets"

# 3. Test
openclaw op-secrets test

Key Rules

Never call op bare. Always prefix with OP_SERVICE_ACCOUNT_TOKEN.
Never log secret values. Store in variables only.
Leave memorySearch.remote as {} ... the plugin sets process.env.OPENAI_API_KEY instead.
Service account token: Always at ~/.openclaw/secrets/op-sa-token.
Custom vaults only. Service accounts can't access built-in vaults.