ClawHub

1Password Cli For Agents

v0.1.0

Securely access and manage secrets with 1Password CLI using a Service Account token for vault operations like read, write, edit, and delete.

0· 1.4k· 1 versions· 5 current· 7 all-time· Updated 2mo ago· MIT-0
by@sichengchen

1Password CLI for Agents

This skill allows agents to securely access and manage secrets using the 1Password CLI (op) and a Service Account. It provides commands for reading, writing, and managing items within a dedicated vault.

Prerequisites

  1. Install 1Password CLI:
    • macOS: brew install --cask 1password-cli
    • Linux/Windows: See official docs.
  2. Create a Service Account:
    • Go to 1Password Developer Portal.
    • Create a Service Account and grant it access to a specific vault (e.g., "Agent Vault").
    • Copy the Service Account Token.
  3. Set Environment Variable:
    • Set OP_SERVICE_ACCOUNT_TOKEN in your environment (e.g., .env file or export in shell).
    • For OpenClaw, you can add OP_SERVICE_ACCOUNT_TOKEN=... to .env.

Usage

All commands require the OP_SERVICE_ACCOUNT_TOKEN to be set.

1. Check Authentication

Verify the service account is working:

op whoami

2. List Vaults

List vaults accessible to the service account:

op vault list

3. Read an Item

Get details of an item (JSON format is best for parsing):

op item get "Item Name" --vault "Vault Name" --format json

Or get a specific field (e.g., password):

op read "op://Vault Name/Item Name/password"

4. Create an Item

Create a login item:

op item create --category login --title "My Service" --url "https://example.com" --vault "Vault Name" username="myuser" password="mypassword"

Create a secure note:

op item create --category "Secure Note" --title "API Key" --vault "Vault Name" notes="my-secret-key"

5. Edit an Item

Update a password:

op item edit "Item Name" password="newpassword" --vault "Vault Name"

6. Delete an Item

op item delete "Item Name" --vault "Vault Name"

Tips for Agents

  • Always use JSON output: Add --format json to op commands for structured data that is easier to parse.
  • Security: Never print the OP_SERVICE_ACCOUNT_TOKEN or retrieved secrets to the console unless explicitly asked.
  • Vaults: If multiple vaults are available, specify the --vault flag to avoid ambiguity.
  • Rate Limits: Service accounts have rate limits. Cache results if possible or retry with backoff.

Troubleshooting

  • "You are not currently signed in": Ensure OP_SERVICE_ACCOUNT_TOKEN is set correctly.
  • "account is not authorized": Check that the service account has permission for the specific vault and operation (read/write).

Version tags

latestvk97eeq0h1tmapsn070ff8g1vzx80zhkh