1password-direnv-secrets
Configures 1Password CLI with direnv for fast, secure credential loading. Activates for: 1Password + direnv setup, slow secrets (>2 sec), .env.op files, op:// references, AWS credentials via env vars, --reveal flag issues, repeated biometric prompts, creating 1Password items programmatically, op item get errors. Not for: 1Password GUI usage, SSH keys (use 1Password SSH agent).
Best use case
1password-direnv-secrets is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configures 1Password CLI with direnv for fast, secure credential loading. Activates for: 1Password + direnv setup, slow secrets (>2 sec), .env.op files, op:// references, AWS credentials via env vars, --reveal flag issues, repeated biometric prompts, creating 1Password items programmatically, op item get errors. Not for: 1Password GUI usage, SSH keys (use 1Password SSH agent).
Teams using 1password-direnv-secrets should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/1password-direnv-secrets/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How 1password-direnv-secrets Compares
| Feature / Agent | 1password-direnv-secrets | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configures 1Password CLI with direnv for fast, secure credential loading. Activates for: 1Password + direnv setup, slow secrets (>2 sec), .env.op files, op:// references, AWS credentials via env vars, --reveal flag issues, repeated biometric prompts, creating 1Password items programmatically, op item get errors. Not for: 1Password GUI usage, SSH keys (use 1Password SSH agent).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
SKILL.md Source
# 1Password CLI Secret Management
Secure credential management using 1Password CLI with zero plaintext secrets on disk.
## Quick Reference
| Use Case | Approach | Details |
|-----------------------------|-----------------------|-------------------------------------------------------------------|
| All secrets (AWS, DB, APIs) | direnv + `op run` | [Core Pattern](#core-pattern-direnv--op-run) |
| CI/CD automation | Service account token | [Session Management](references/session-management.md) |
| Creating items for users | `op item create` | [Programmatic Creation](references/programmatic-item-creation.md) |
**Key insight:** Secrets load once on `cd` and all subprocesses inherit them (standard Unix `fork()` behavior). One `op` call, no re-fetching.
---
## Core Pattern: direnv + op run
**Use `op run --env-file` NOT multiple `op read` calls.**
| Approach | CLI Invocations | Load Time |
|--------------------|-----------------|------------|
| Multiple `op read` | N per secret | ~5 seconds |
| Single `op run` | 1 | ~1 second |
### Setup
**1. `.env.op`** (safe to commit - contains only `op://` references):
```bash
AWS_ACCESS_KEY_ID="op://Vault/Item/Access Key ID"
AWS_SECRET_ACCESS_KEY="op://Vault/Item/Secret Access Key"
DB_PASSWORD="op://Vault/Item/password"
```
**2. `.envrc`** (safe to commit - no secrets, just loader command):
```bash
direnv_load op run --env-file=.env.op --no-masking \
--account=yourcompany.1password.com -- direnv dump
```
**3. Enable:** `direnv allow`
### Global Helper
Add to `~/.config/direnv/direnvrc`:
```bash
use_1password() {
local env_file="${1:-.env.op}" account="${2:-yourcompany.1password.com}"
[[ -f "$env_file" ]] && direnv_load op run --env-file="$env_file" \
--no-masking --account="$account" -- direnv dump
}
```
Then `.envrc` becomes: `use 1password`
---
## Critical: The --reveal Flag
**Concealed fields require `--reveal` to get actual values.**
```bash
# WRONG - returns placeholder text, NOT the secret!
op item get "Item" --fields "Secret Access Key"
# Output: [use 'op item get xxx --reveal' to reveal]
# CORRECT - returns actual secret value
op item get "Item" --fields "Secret Access Key" --reveal
```
**Common symptom:** `SignatureDoesNotMatch` errors from AWS indicate the secret wasn't retrieved properly.
---
## Reducing Biometric Prompts
| Scenario | Solution | Prompts |
|----------------------|----------------------------|----------------------|
| Dev entering project | direnv + `op run` | 1 on directory entry |
| CI/CD pipeline | `OP_SERVICE_ACCOUNT_TOKEN` | 0 |
**Key insight:** Sessions last 10 minutes with auto-refresh on each use. Keep 1Password desktop app unlocked and integrated with CLI.
> **Detailed strategies:** [references/session-management.md](references/session-management.md)
---
## Discovery Commands
```bash
op account list # Find accounts
op vault list --account mycompany.1password.com # Find vaults
op item list --account mycompany.1password.com # Find items
```
> **Full reference:** [references/discovery-commands.md](references/discovery-commands.md) - field inspection, search patterns, debugging
---
## Creating Items Programmatically
For Claude Code workflows where Claude sets up infrastructure without handling raw secrets:
```bash
# Create item with placeholder values
op item create --category "API Credential" \
--title "AWS Service-Name" \
--vault "Private" \
--account mycompany.1password.com \
"Access Key ID[text]=REPLACE_ME" \
"Secret Access Key[concealed]=REPLACE_ME"
```
User populates via 1Password app, then Claude continues with configuration.
> **Full pattern:** [references/programmatic-item-creation.md](references/programmatic-item-creation.md)
---
## What's Safe to Commit?
| File | Safe? | Why |
|-----------|-------|--------------------------------------------------------|
| `.env.op` | Yes | Contains only `op://` pointers |
| `.envrc` | Yes | No secrets - just loader command delegating to .env.op |
| `.env` | Never | Contains actual secrets |
> The account name (e.g., `yourcompany.1password.com`) isn't sensitive - it's just an identifier. For team projects, everyone uses the same account anyway.
---
## Troubleshooting
| Error | Fix |
|-------------------------------|---------------------------------------------|
| `SignatureDoesNotMatch` (AWS) | Add `--reveal` for concealed fields |
| `op: command not found` | `brew install --cask 1password-cli` |
| `could not find item` | Names are case-sensitive; verify exact name |
> **Full troubleshooting:** [references/session-management.md#troubleshooting-excessive-prompts](references/session-management.md#troubleshooting-excessive-prompts)
---
## Prerequisites
```bash
# Install 1Password CLI (v2.18.0+ for service accounts)
brew install --cask 1password-cli
# Install direnv (for env var approach)
brew install direnv
echo 'eval "$(direnv hook zsh)"' >> ~/.zshrc
# Sign in and integrate with desktop app
op signin --account=yourcompany.1password.com
# Verify integration
op whoami
```
**Required:** 1Password desktop app with CLI integration enabled (Settings → Developer → CLI Integration).
---
## Detailed References
- [Session Management](references/session-management.md) - Minimizing prompts, service accounts, CI/CD
- [Discovery Commands](references/discovery-commands.md) - Finding accounts, vaults, items, fields
- [Programmatic Item Creation](references/programmatic-item-creation.md) - Claude Code workflow patternsRelated Skills
1password
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
1password-cli
Use this skill when working with the 1Password CLI (`op` command) for secrets management, retrieving API keys, injecting secrets into development environments, or any task involving 1Password vault operations. Triggers on: "1password", "op command", "secrets management", "api keys from vault", "op run", "op read", "service account token".
1password-secrets
Secure secret management using 1Password CLI. Detect plaintext secrets in files and codebases, convert environment files to 1Password templates, inject secrets securely using op inject, and audit codebases for security compliance.
vly-money
Generate crypto payment links for supported tokens and networks, manage access to X402 payment-protected content, and provide direct access to the vly.money wallet interface.
ux
This AI agent skill provides comprehensive guidance for creating professional and insightful User Experience (UX) designs, covering user research, information architecture, interaction design, visual guidance, and usability evaluation. It aims to produce actionable, user-centered solutions that avoid generic AI aesthetics.
grail-miner
This skill assists in setting up, managing, and optimizing Grail miners on Bittensor Subnet 81, handling tasks like environment configuration, R2 storage, model checkpoint management, and performance tuning.
thor-skills
An entry point and router for AI agents to manage various THOR-related cybersecurity tasks, including running scans, analyzing logs, troubleshooting, and maintenance.
lets-go-rss
A lightweight, full-platform RSS subscription manager that aggregates content from YouTube, Vimeo, Behance, Twitter/X, and Chinese platforms like Bilibili, Weibo, and Douyin, featuring deduplication and AI smart classification.
ontopo
An AI agent skill to search for Israeli restaurants, check table availability, view menus, and retrieve booking links via the Ontopo platform, acting as an unofficial interface to its data.
modal-deployment
Run Python code in the cloud with serverless containers, GPUs, and autoscaling using Modal. This skill enables agents to generate code for deploying ML models, running batch jobs, serving APIs, and scaling compute-intensive workloads.
astro
This skill provides essential Astro framework patterns, focusing on server-side rendering (SSR), static site generation (SSG), middleware, and TypeScript best practices. It helps AI agents implement secure authentication, manage API routes, and debug rendering behaviors within Astro projects.
tech-blog
Generates comprehensive technical blog posts, offering detailed explanations of system internals, architecture, and implementation, either through source code analysis or document-driven research.