1password-cli
Use this skill when working with the 1Password CLI (`op` command) for secrets management, retrieving API keys, injecting secrets into development environments, or any task involving 1Password vault operations. Triggers on: "1password", "op command", "secrets management", "api keys from vault", "op run", "op read", "service account token".
Best use case
1password-cli is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use this skill when working with the 1Password CLI (`op` command) for secrets management, retrieving API keys, injecting secrets into development environments, or any task involving 1Password vault operations. Triggers on: "1password", "op command", "secrets management", "api keys from vault", "op run", "op read", "service account token".
Teams using 1password-cli should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/1password-cli/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How 1password-cli Compares
| Feature / Agent | 1password-cli | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use this skill when working with the 1Password CLI (`op` command) for secrets management, retrieving API keys, injecting secrets into development environments, or any task involving 1Password vault operations. Triggers on: "1password", "op command", "secrets management", "api keys from vault", "op run", "op read", "service account token".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# 1Password CLI Skill Use this skill when working with the 1Password CLI (`op` command) for secrets management, retrieving API keys, or injecting secrets into development environments. ## Installation ```bash # macOS brew install 1password-cli # Verify installation op --version ``` ## Authentication Methods ### 1. Desktop App Integration (Interactive - Recommended for Development) Enable biometric authentication (Touch ID/Windows Hello) through the 1Password desktop app: 1. Open 1Password app > Settings > Developer 2. Enable "Integrate with 1Password CLI" 3. Run any `op` command - you'll be prompted to authenticate ```bash # This will prompt for biometric auth op vault list ``` ### 2. Service Account Token (Non-Interactive - CI/CD & Automation) For automated environments without user interaction: ```bash # Set the service account token as environment variable export OP_SERVICE_ACCOUNT_TOKEN="ops_..." # Now commands work without prompts op vault list ``` Create service accounts in 1Password.com > Developer Tools > Service Accounts. ### 3. Manual Sign In (Legacy) ```bash # Sign in and create a session eval $(op signin) # Or for a specific account eval $(op signin --account my-team.1password.com) ``` ## Secret Reference Syntax Secret references use the URI format: `op://vault/item/[section/]field` ``` op://vault-name/item-name/field-name # Simple field op://vault-name/item-name/section/field-name # Field in a section op://Private/GitHub/password # Example: GitHub password op://dev/Stripe/publishable-key # Example: Stripe key ``` ### Get Secret References ```bash # Get reference for a specific field op item get "GitHub" --vault Private --fields password --format json | jq -r '.reference' # Output: op://Private/GitHub/password ``` ## Reading Secrets ### Read a Single Secret ```bash # Using secret reference op read "op://vault-name/item-name/field-name" # Examples op read "op://Private/API Keys/openai-key" op read "op://dev/Database/password" ``` ### Get Item Details ```bash # Get full item as JSON op item get "item-name" --vault "vault-name" --format json # Get specific field op item get "GitHub" --fields password # Get multiple fields op item get "Database" --fields username,password ``` ### List Items ```bash # List all vaults op vault list # List items in a vault op item list --vault "Private" # Search for items op item list --tags api-key ``` ## Injecting Secrets into Environment Variables ### Using `op run` The most secure way to use secrets - they exist only during command execution: ```bash # Set secret reference in environment export DB_PASSWORD="op://app-prod/database/password" # Run command with secrets injected op run -- ./my-script.sh # Secrets are automatically masked in output op run -- printenv DB_PASSWORD # Shows: <concealed by 1Password> # Disable masking if needed op run --no-masking -- printenv DB_PASSWORD ``` ### Using .env Files Create a `.env` file with secret references: ```bash # .env file DATABASE_URL="op://dev/postgres/connection-string" API_KEY="op://dev/my-api/key" SECRET_TOKEN="op://dev/app/secret-token" ``` Run with the env file: ```bash op run --env-file=.env -- npm start op run --env-file=.env -- python app.py ``` ### Environment-Specific Secrets Use variables to switch between environments: ```bash # .env file with variable DB_PASSWORD="op://$APP_ENV/database/password" # Switch environments APP_ENV=dev op run --env-file=.env -- ./start.sh APP_ENV=prod op run --env-file=.env -- ./start.sh ``` ## Common Use Cases ### Retrieve API Keys for Development ```bash # Get a single API key OPENAI_KEY=$(op read "op://Private/OpenAI/api-key") # Use in a command curl -H "Authorization: Bearer $(op read 'op://Private/OpenAI/api-key')" ... ``` ### Populate Environment for Local Development ```bash # Create .env.local with secret references cat > .env.local << 'EOF' SUPABASE_URL="op://dev/Supabase/url" SUPABASE_KEY="op://dev/Supabase/service-role-key" ANTHROPIC_API_KEY="op://dev/Anthropic/api-key" EOF # Start development server with secrets op run --env-file=.env.local -- npm run dev ``` ### Export Secrets to Shell Session ```bash # Export secrets for current shell session export GITHUB_TOKEN=$(op read "op://Private/GitHub/token") export NPM_TOKEN=$(op read "op://Private/npm/token") ``` ### Use in Scripts ```bash #!/bin/bash # deploy.sh - uses 1Password for secrets # Ensure we have access op whoami > /dev/null 2>&1 || eval $(op signin) # Get deployment credentials DEPLOY_KEY=$(op read "op://prod/deploy/ssh-key") API_TOKEN=$(op read "op://prod/api/token") # Use in deployment... ``` ## Creating and Managing Items ### Create a New Item ```bash # Create API key item op item create \ --category "API Credential" \ --title "My API Key" \ --vault "dev" \ --fields "api-key=sk-abc123" # Create login item op item create \ --category Login \ --title "Service Account" \ --vault Private \ --fields "username=admin,password=secret123" ``` ### Update an Item ```bash # Update a field op item edit "My API Key" --vault dev "api-key=sk-newkey456" ``` ### Delete an Item ```bash op item delete "Old API Key" --vault dev ``` ## Security Best Practices 1. **Use Service Accounts for CI/CD**: Never use personal credentials in automated environments 2. **Limit Vault Access**: Service accounts should only access vaults they need 3. **Use `op run` Over Export**: Secrets only exist during command execution, not in shell history 4. **Avoid Logging Secrets**: `op run` masks secrets by default - keep it enabled 5. **Rotate Service Account Tokens**: Regularly rotate tokens used in CI/CD pipelines 6. **Use Secret References in Code**: Store references, not secrets, in configuration files 7. **Audit Access**: Review service account usage reports in 1Password.com ## Troubleshooting ### "You are not currently signed in" ```bash # Check current session op whoami # Sign in again eval $(op signin) # Or set service account token export OP_SERVICE_ACCOUNT_TOKEN="ops_..." ``` ### "Item not found" ```bash # List available vaults to verify access op vault list # Search for the item op item list --vault "vault-name" | grep "item-name" ``` ### Desktop App Integration Not Working 1. Ensure 1Password app is running and unlocked 2. Check Settings > Developer > "Integrate with 1Password CLI" is enabled 3. Restart terminal after enabling integration ## Quick Reference | Command | Description | |---------|-------------| | `op vault list` | List all accessible vaults | | `op item list --vault X` | List items in vault X | | `op item get "Name"` | Get item details | | `op read "op://..."` | Read a secret value | | `op run -- cmd` | Run command with secrets | | `op run --env-file=.env -- cmd` | Run with .env secrets | | `op whoami` | Check current session | | `op signin` | Sign in interactively |
Related Skills
1password
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
1password-direnv-secrets
Configures 1Password CLI with direnv for fast, secure credential loading. Activates for: 1Password + direnv setup, slow secrets (>2 sec), .env.op files, op:// references, AWS credentials via env vars, --reveal flag issues, repeated biometric prompts, creating 1Password items programmatically, op item get errors. Not for: 1Password GUI usage, SSH keys (use 1Password SSH agent).
1password-secrets
Secure secret management using 1Password CLI. Detect plaintext secrets in files and codebases, convert environment files to 1Password templates, inject secrets securely using op inject, and audit codebases for security compliance.
whisper-transcribe
Transcribes audio and video files to text using OpenAI's Whisper CLI, enhanced with contextual grounding from local markdown files for improved accuracy.
tech-blog
Generates comprehensive technical blog posts, offering detailed explanations of system internals, architecture, and implementation, either through source code analysis or document-driven research.
lets-go-rss
A lightweight, full-platform RSS subscription manager that aggregates content from YouTube, Vimeo, Behance, Twitter/X, and Chinese platforms like Bilibili, Weibo, and Douyin, featuring deduplication and AI smart classification.
ux
This AI agent skill provides comprehensive guidance for creating professional and insightful User Experience (UX) designs, covering user research, information architecture, interaction design, visual guidance, and usability evaluation. It aims to produce actionable, user-centered solutions that avoid generic AI aesthetics.
grail-miner
This skill assists in setting up, managing, and optimizing Grail miners on Bittensor Subnet 81, handling tasks like environment configuration, R2 storage, model checkpoint management, and performance tuning.
vly-money
Generate crypto payment links for supported tokens and networks, manage access to X402 payment-protected content, and provide direct access to the vly.money wallet interface.
ontopo
An AI agent skill to search for Israeli restaurants, check table availability, view menus, and retrieve booking links via the Ontopo platform, acting as an unofficial interface to its data.
thor-skills
An entry point and router for AI agents to manage various THOR-related cybersecurity tasks, including running scans, analyzing logs, troubleshooting, and maintenance.
chrome-debug
This skill empowers AI agents to debug web applications and inspect browser behavior using the Chrome DevTools Protocol (CDP), offering both collaborative (headful) and automated (headless) modes.