ClawHub

Bitwarden Vault CLI

v1.0.0

Set up and use Bitwarden CLI (bw). Use when installing the CLI, authenticating (login/unlock), or reading secrets from your vault. Supports email/password, API key, and SSO authentication methods.

6· 3.2k·12 current·12 all-time
by@startupbros

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for startupbros/bitwarden-vault.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Bitwarden Vault CLI" (startupbros/bitwarden-vault) from ClawHub.
Skill page: https://clawhub.ai/startupbros/bitwarden-vault
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: bw
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install startupbros/bitwarden-vault

ClawHub CLI

Package manager switcher

npx clawhub@latest install bitwarden-vault
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, required binary (bw), and install spec (homebrew/npm/choco/snap/native) all match the stated goal of providing Bitwarden CLI usage. There are no unrelated binaries, credentials, or config paths requested that don't belong to a password-manager CLI skill.
Instruction Scope
SKILL.md contains explicit runtime instructions to create a tmux session, run bw login/unlock, export BW_SESSION, and use bw get/list commands to read secrets. Those steps are coherent for a CLI-first Bitwarden workflow. The instructions also encourage piping secrets into environment variables and other commands — this is expected for automation but increases risk of accidental exposure. The file references environment variables (BW_SESSION, BW_CLIENTID, BW_CLIENTSECRET, BITWARDENCLI_APPDATA_DIR) even though the registry 'requires.env' is empty; this is normal (they are standard Bitwarden variables) but worth noting.
Install Mechanism
Install options are standard package sources (Homebrew formula, npm package @bitwarden/cli, Chocolatey, snap, and direct binaries). No arbitrary or shortened URLs or extracted archives from unknown hosts are used in the provided install metadata. npm/global installs carry the usual supply-chain caveats but are expected for this tool.
Credentials
The skill does not request platform credentials or secrets itself (requires.env is empty), but the runtime instructions require and show how to export sensitive values (BW_SESSION, BW_CLIENTID, BW_CLIENTSECRET) and how to pull vault secrets into process environment variables (e.g., exporting AWS keys). That behavior is intrinsic to a secrets-management skill but is sensitive: exporting session tokens or secrets into shell environment increases the attack surface (other processes, logs, shell history).
Persistence & Privilege
Skill does not request always:true and does not attempt to modify other skills or system-wide agent settings. It's instruction-only and has no persistent installation behavior beyond installing the expected bw binary via normal package managers.
Assessment
This skill appears to do what it says (help you install and use the Bitwarden CLI). Before installing or using it: 1) Verify the bw binary you install is the official Bitwarden client (use Homebrew, the official npm package @bitwarden/cli, Chocolatey, snap, or official downloads) and check signatures/URLs where possible. 2) Be cautious exporting BW_SESSION or vault secrets into long-lived shells or files — any process that shares the session or the environment can read those values. Prefer transient, short-lived sessions and run bw commands in isolated shells or ephemeral processes; run bw lock or bw logout when finished. 3) Avoid writing secrets to disk or logs; if automation requires secrets as env vars, scope their lifetime and revoke or re-lock afterward. 4) When using npm/global installs, ensure your node environment and package sources are trusted. 5) If you will allow an autonomous agent to use this skill, explicitly decide whether you want the agent to access your vault and consider limiting its access (create limited API keys or separate vault items).

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔒 Clawdis
Binsbw

Install

Install Bitwarden CLI (brew)
Bins: bw
brew install bitwarden-cli
latestvk9767rfmss4jdxez0hh3w04q7h801y4r
3.2kdownloads
6stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@startupbros
latest
Download

Bitwarden CLI Skill

The Bitwarden command-line interface (CLI) provides full access to your Bitwarden vault for retrieving passwords, secure notes, and other secrets programmatically.

Workflow Requirements

CRITICAL: Always run bw commands inside a dedicated tmux session. The CLI requires a session key (BW_SESSION) for all vault operations after authentication. A tmux session preserves this environment variable across commands.

Required Workflow

  1. Verify CLI installation: Run bw --version to confirm the CLI is available
  2. Create a dedicated tmux session: tmux new-session -d -s bw-session
  3. Attach and authenticate: Run bw login or bw unlock inside the session
  4. Export session key: After unlock, export BW_SESSION as instructed by the CLI
  5. Execute vault commands: Use bw get, bw list, etc. within the same session

Authentication Methods

MethodCommandUse Case
Email/Passwordbw loginInteractive sessions, first-time setup
API Keybw login --apikeyAutomation, scripts (requires separate unlock)
SSObw login --ssoEnterprise/organization accounts

After bw login with email/password, your vault is automatically unlocked. For API key or SSO login, you must subsequently run bw unlock to decrypt the vault.

Session Key Management

The unlock command outputs a session key. You must export it:

# Bash/Zsh
export BW_SESSION="<session_key_from_unlock>"

# Or capture automatically
export BW_SESSION=$(bw unlock --raw)

Session keys remain valid until you run bw lock or bw logout. They do not persist across terminal windows—hence the tmux requirement.

Reading Secrets

# Get password by item name
bw get password "GitHub"

# Get username
bw get username "GitHub"

# Get TOTP code
bw get totp "GitHub"

# Get full item as JSON
bw get item "GitHub"

# Get specific field
bw get item "GitHub" | jq -r '.fields[] | select(.name=="api_key") | .value'

# List all items
bw list items

# Search items
bw list items --search "github"

Security Guardrails

  • NEVER expose secrets in logs, code, or command output visible to users
  • NEVER write secrets to disk unless absolutely necessary
  • ALWAYS use bw lock when finished with vault operations
  • PREFER reading secrets directly into environment variables or piping to commands
  • If you receive "Vault is locked" errors, re-authenticate with bw unlock
  • If you receive "You are not logged in" errors, run bw login first
  • Stop and request assistance if tmux is unavailable on the system

Environment Variables

VariablePurpose
BW_SESSIONSession key for vault decryption (required for all vault commands)
BW_CLIENTIDAPI key client ID (for --apikey login)
BW_CLIENTSECRETAPI key client secret (for --apikey login)
BITWARDENCLI_APPDATA_DIRCustom config directory (enables multi-account setups)

Self-Hosted Servers

For Vaultwarden or self-hosted Bitwarden:

bw config server https://your-bitwarden-server.com

Reference Documentation

Comments

Loading comments...