home / skills / steipete / agent-scripts / 1password
This skill helps you securely manage 1Password CLI sessions inside tmux, sign in, and read secrets without exposing them.
npx playbooks add skill steipete/agent-scripts --skill 1passwordReview the files below or copy the command above to add this skill to your agents.
---
name: 1password
description: Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
homepage: https://developer.1password.com/docs/cli/get-started/
metadata: {"clawdbot":{"emoji":"🔐","requires":{"bins":["op"]},"install":[{"id":"brew","kind":"brew","formula":"1password-cli","bins":["op"],"label":"Install 1Password CLI (brew)"}]}}
---
# 1Password CLI
Follow the official CLI get-started steps. Don't guess install commands.
## References
- `references/get-started.md` (install + app integration + sign-in flow)
- `references/cli-examples.md` (real `op` examples)
## Workflow
1. Check OS + shell.
2. Verify CLI present: `op --version`.
3. Confirm desktop app integration is enabled (per get-started) and the app is unlocked.
4. REQUIRED: create a fresh tmux session for all `op` commands (no direct `op` calls outside tmux).
5. Sign in / authorize inside tmux: `op signin` (expect app prompt).
6. Verify access inside tmux: `op whoami` (must succeed before any secret read).
7. If multiple accounts: use `--account` or `OP_ACCOUNT`.
## REQUIRED tmux session (T-Max)
The shell tool uses a fresh TTY per command. To avoid re-prompts and failures, always run `op` inside a dedicated tmux session with a fresh socket/session name.
Example (see `tmux` skill for socket conventions, do not reuse old session names):
```bash
SOCKET_DIR="${CLAWDBOT_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/clawdbot-tmux-sockets}"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/clawdbot-op.sock"
SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"
tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op signin --account my.1password.com" Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op vault list" Enter
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200
tmux -S "$SOCKET" kill-session -t "$SESSION"
```
## Guardrails
- Never paste secrets into logs, chat, or code.
- Prefer `op run` / `op inject` over writing secrets to disk.
- If sign-in without app integration is needed, use `op account add`.
- If a command returns "account is not signed in", re-run `op signin` inside tmux and authorize in the app.
- Do not run `op` outside tmux; stop and ask if tmux is unavailable.
This skill helps set up and use the 1Password CLI (op) in an automated agent environment. It documents verification steps, required tmux session handling, and safe patterns for signing in, authorizing, and running or injecting secrets. The guidance prevents common failures caused by ephemeral TTYs and accidental secret leaks.
The skill inspects the OS and shell, verifies the op binary is installed, and checks desktop app integration and unlock state. It requires creating a fresh, dedicated tmux session for all op interactions so the CLI uses a stable TTY/socket. Within that session you sign in, authorize via the desktop app prompt, and verify access with op whoami before reading or injecting secrets.
Why must I use tmux for every op command?
The 1Password CLI and desktop integration expect a persistent TTY/socket. Using a fresh tmux session provides a stable socket and prevents repeated re-prompts or failures caused by the shell tool creating new ephemeral TTYs.
What if I can't use tmux on this environment?
Stop and ask for an alternative. Do not run op commands outside tmux. If tmux is unavailable, perform interactive sign-in on a supported host or use op account add as a fallback with caution.