Bitwarden CLI

v1.0.0

Set up and use Bitwarden CLI (bw). Use when installing the CLI, authenticating (login/unlock), or reading secrets from your vault. Supports email/password, API key, and SSO authentication methods.

⭐ 1· 1.7k·0 current·0 all-time

by@startupbros·duplicate of @startupbros/bitwarden-vault

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description match the behavior. The skill only documents using the Bitwarden CLI (bw), authenticating, managing BW_SESSION, and reading items; required binary 'bw' and suggested install methods (brew/npm/choco/snap/official downloads) are appropriate for this purpose.

✓

Instruction Scope

SKILL.md instructions stay within expected boundaries: installing/using bw, session management, secret retrieval, and examples for piping/exporting secrets. It does not instruct reading unrelated system files or contacting unexpected endpoints—self-hosted server URLs and vault.bitwarden.com are appropriate. It does recommend exporting secrets into environment variables or piping to commands (expected but operationally sensitive).

✓

Install Mechanism

Install guidance references standard package routes (Homebrew, npm @bitwarden/cli, Chocolatey, Snap, and official bitwarden.com downloads). No untrusted/personal download URLs or obscure installers are used in the provided spec.

✓

Credentials

Environment variables mentioned (BW_SESSION, BW_CLIENTID, BW_CLIENTSECRET, BITWARDENCLI_APPDATA_DIR) are exactly those needed for Bitwarden CLI operations and multi-account setups. The skill does not request unrelated credentials or hidden secrets beyond these.

✓

Persistence & Privilege

Skill is instruction-only with always:false and default invocation settings; it does not request permanent presence or modify other skills or system-wide settings. Normal autonomous invocation is allowed by platform defaults but not excessive here.

Assessment

This skill is a documentation/helper for the official Bitwarden CLI and appears coherent. Before installing, verify you will install the bw binary from an official source (Homebrew, npm @bitwarden/cli, Chocolatey, Snap, or bitwarden.com). Be careful when exporting secrets into shell environment variables or command substitution—these can leak into process lists, shell history, or logs; prefer ephemeral piping or process-scope injection and run bw operations in a dedicated, secure tmux/session as instructed. If you use automation with BW_CLIENTID/BW_CLIENTSECRET, store those credentials safely and rotate them per policy. If anything in your environment or security policy disallows preserving session keys in shell environments, do not enable this skill or adapt usage to comply with your controls.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔒 Clawdis

Binsbw

Install

Install Bitwarden CLI (brew)

Bins: bw

brew install bitwarden-cli

latestvk972jezaqjgy1k0dxfaezsvhas801y4z

1.7kdownloads

1stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

Bitwarden CLI Skill

The Bitwarden command-line interface (CLI) provides full access to your Bitwarden vault for retrieving passwords, secure notes, and other secrets programmatically.

Workflow Requirements

CRITICAL: Always run bw commands inside a dedicated tmux session. The CLI requires a session key (BW_SESSION) for all vault operations after authentication. A tmux session preserves this environment variable across commands.

Required Workflow

Verify CLI installation: Run bw --version to confirm the CLI is available
Create a dedicated tmux session: tmux new-session -d -s bw-session
Attach and authenticate: Run bw login or bw unlock inside the session
Export session key: After unlock, export BW_SESSION as instructed by the CLI
Execute vault commands: Use bw get, bw list, etc. within the same session

Authentication Methods

Method	Command	Use Case
Email/Password	`bw login`	Interactive sessions, first-time setup
API Key	`bw login --apikey`	Automation, scripts (requires separate unlock)
SSO	`bw login --sso`	Enterprise/organization accounts

After bw login with email/password, your vault is automatically unlocked. For API key or SSO login, you must subsequently run bw unlock to decrypt the vault.

Session Key Management

The unlock command outputs a session key. You must export it:

# Bash/Zsh
export BW_SESSION="<session_key_from_unlock>"

# Or capture automatically
export BW_SESSION=$(bw unlock --raw)

Session keys remain valid until you run bw lock or bw logout. They do not persist across terminal windows—hence the tmux requirement.

Reading Secrets

# Get password by item name
bw get password "GitHub"

# Get username
bw get username "GitHub"

# Get TOTP code
bw get totp "GitHub"

# Get full item as JSON
bw get item "GitHub"

# Get specific field
bw get item "GitHub" | jq -r '.fields[] | select(.name=="api_key") | .value'

# List all items
bw list items

# Search items
bw list items --search "github"

Security Guardrails

NEVER expose secrets in logs, code, or command output visible to users
NEVER write secrets to disk unless absolutely necessary
ALWAYS use bw lock when finished with vault operations
PREFER reading secrets directly into environment variables or piping to commands
If you receive "Vault is locked" errors, re-authenticate with bw unlock
If you receive "You are not logged in" errors, run bw login first
Stop and request assistance if tmux is unavailable on the system

Environment Variables

Variable	Purpose
`BW_SESSION`	Session key for vault decryption (required for all vault commands)
`BW_CLIENTID`	API key client ID (for `--apikey` login)
`BW_CLIENTSECRET`	API key client secret (for `--apikey` login)
`BITWARDENCLI_APPDATA_DIR`	Custom config directory (enables multi-account setups)

Self-Hosted Servers

For Vaultwarden or self-hosted Bitwarden:

bw config server https://your-bitwarden-server.com

Reference Documentation

Get Started Guide - Installation and initial setup
CLI Examples - Common usage patterns and advanced operations

Comments

Loading comments...