playbooks

home / skills / openclaw / openclaw / 1password

1password skill

/skills/1password

This skill guides you through installing, signing in, and securely using the 1Password CLI within a dedicated tmux session to manage secrets.

This is most likely a fork of the 1password skill from openclaw
npx playbooks add skill openclaw/openclaw --skill 1password

Review the files below or copy the command above to add this skill to your agents.

Files (3)
SKILL.md
2.6 KB
---
name: 1password
description: Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
homepage: https://developer.1password.com/docs/cli/get-started/
metadata:
  {
    "openclaw":
      {
        "emoji": "🔐",
        "requires": { "bins": ["op"] },
        "install":
          [
            {
              "id": "brew",
              "kind": "brew",
              "formula": "1password-cli",
              "bins": ["op"],
              "label": "Install 1Password CLI (brew)",
            },
          ],
      },
  }
---

# 1Password CLI

Follow the official CLI get-started steps. Don't guess install commands.

## References

- `references/get-started.md` (install + app integration + sign-in flow)
- `references/cli-examples.md` (real `op` examples)

## Workflow

1. Check OS + shell.
2. Verify CLI present: `op --version`.
3. Confirm desktop app integration is enabled (per get-started) and the app is unlocked.
4. REQUIRED: create a fresh tmux session for all `op` commands (no direct `op` calls outside tmux).
5. Sign in / authorize inside tmux: `op signin` (expect app prompt).
6. Verify access inside tmux: `op whoami` (must succeed before any secret read).
7. If multiple accounts: use `--account` or `OP_ACCOUNT`.

## REQUIRED tmux session (T-Max)

The shell tool uses a fresh TTY per command. To avoid re-prompts and failures, always run `op` inside a dedicated tmux session with a fresh socket/session name.

Example (see `tmux` skill for socket conventions, do not reuse old session names):

```bash
SOCKET_DIR="${OPENCLAW_TMUX_SOCKET_DIR:-${CLAWDBOT_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/openclaw-tmux-sockets}}"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/openclaw-op.sock"
SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"

tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op signin --account my.1password.com" Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op vault list" Enter
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200
tmux -S "$SOCKET" kill-session -t "$SESSION"
```

## Guardrails

- Never paste secrets into logs, chat, or code.
- Prefer `op run` / `op inject` over writing secrets to disk.
- If sign-in without app integration is needed, use `op account add`.
- If a command returns "account is not signed in", re-run `op signin` inside tmux and authorize in the app.
- Do not run `op` outside tmux; stop and ask if tmux is unavailable.

Overview

This skill helps set up and use the 1Password CLI (op) reliably and securely. It focuses on correct installation, enabling desktop app integration, signing in (single or multi-account), and safe secret access patterns. The workflow enforces running op inside a dedicated tmux session to avoid TTY and authorization problems.

How this skill works

The skill inspects your OS and shell, verifies op is installed, and confirms the desktop app is integrated and unlocked. It requires creating a fresh tmux session for all op commands, signing in and authorizing inside that session, and validating access with op whoami before reading secrets. It prefers op run or op inject to avoid writing secrets to disk and provides multi-account handling via --account or OP_ACCOUNT.

When to use it

  • Installing the 1Password CLI and enabling desktop app integration.
  • Signing in to 1Password from a machine where the desktop app will authorize CLI access.
  • Running commands that read, inject, or run secrets programmatically.
  • Handling multiple 1Password accounts from the same environment.
  • Troubleshooting "account is not signed in" or TTY-related failures.

Best practices

  • Always follow the official CLI get-started steps for installation; do not guess install commands.
  • Create a fresh, dedicated tmux session and socket for every op authentication flow to avoid re-prompts and stale sockets.
  • Run op signin and authorize via the desktop app inside tmux, then verify with op whoami before any secret access.
  • Prefer op run or op inject instead of writing secrets to disk; never paste secrets into logs, chat, or code.
  • For multiple accounts use --account or set OP_ACCOUNT; if app integration isn’t possible use op account add.

Example use cases

  • Install the CLI, enable desktop app integration, then sign in and verify identity inside a fresh tmux session.
  • Run op whoami and op vault list inside tmux to confirm access before automated secret reads.
  • Use op run to execute a command that consumes a secret without creating a file on disk.
  • Switch between multiple 1Password accounts by supplying --account or setting OP_ACCOUNT in the tmux environment.
  • Recover from an "account is not signed in" error by re-running op signin inside tmux and authorizing the app.

FAQ

Why must I use tmux for op commands?

The CLI and desktop app integration expect a persistent TTY. A fresh tmux session with its own socket prevents re-prompts, broken authorization flows, and ephemeral-tty failures.

What if I can’t enable desktop app integration?

Use op account add to sign in without app integration, but be cautious and follow secure handling practices; prefer app integration when possible.