Do I need to sign in for every session?

No. Use the Service Account token stored in OP_SERVICE_ACCOUNT_TOKEN to authenticate non-interactively.

How do I restrict access to a vault?

Create a Service Account with vault-specific access in the 1Password Developer Portal and grant it to the desired vault; always pass --vault in commands to limit scope.

What if I hit rate limits?

Cache results where possible, implement retries with backoff, and design automation to minimize excessive frequent calls.

1Password Cli For Agents

Verified

@sichengchen

npx machina-cli add skill @sichengchen/1password-cli --openclaw

Files (1)

SKILL.md

2.6 KB

1Password CLI for Agents

This skill allows agents to securely access and manage secrets using the 1Password CLI (op) and a Service Account. It provides commands for reading, writing, and managing items within a dedicated vault.

Prerequisites

Install 1Password CLI:
- macOS: brew install --cask 1password-cli
- Linux/Windows: See official docs.
Create a Service Account:
- Go to 1Password Developer Portal.
- Create a Service Account and grant it access to a specific vault (e.g., "Agent Vault").
- Copy the Service Account Token.
Set Environment Variable:
- Set OP_SERVICE_ACCOUNT_TOKEN in your environment (e.g., .env file or export in shell).
- For OpenClaw, you can add OP_SERVICE_ACCOUNT_TOKEN=... to .env.

Usage

All commands require the OP_SERVICE_ACCOUNT_TOKEN to be set.

1. Check Authentication

Verify the service account is working:

op whoami

2. List Vaults

List vaults accessible to the service account:

op vault list

3. Read an Item

Get details of an item (JSON format is best for parsing):

op item get "Item Name" --vault "Vault Name" --format json

Or get a specific field (e.g., password):

op read "op://Vault Name/Item Name/password"

4. Create an Item

Create a login item:

op item create --category login --title "My Service" --url "https://example.com" --vault "Vault Name" username="myuser" password="mypassword"

Create a secure note:

op item create --category "Secure Note" --title "API Key" --vault "Vault Name" notes="my-secret-key"

5. Edit an Item

Update a password:

op item edit "Item Name" password="newpassword" --vault "Vault Name"

6. Delete an Item

op item delete "Item Name" --vault "Vault Name"

Tips for Agents

Always use JSON output: Add --format json to op commands for structured data that is easier to parse.
Security: Never print the OP_SERVICE_ACCOUNT_TOKEN or retrieved secrets to the console unless explicitly asked.
Vaults: If multiple vaults are available, specify the --vault flag to avoid ambiguity.
Rate Limits: Service accounts have rate limits. Cache results if possible or retry with backoff.

Troubleshooting

"You are not currently signed in": Ensure OP_SERVICE_ACCOUNT_TOKEN is set correctly.
"account is not authorized": Check that the service account has permission for the specific vault and operation (read/write).

Source

git clone https://clawhub.ai/sichengchen/1password-cliView on GitHub

Overview

This skill enables agents to securely access and manage secrets via the 1Password CLI (op) using a Service Account. It supports reading, writing, editing, and deleting items in a dedicated vault, enabling granular access control and auditable actions.

How This Skill Works

Agents authenticate with a Service Account token stored in OP_SERVICE_ACCOUNT_TOKEN and run op commands scoped to a specific vault. Typical operations use op item get, op item create, op item edit, and op item delete, often with --vault and --format json for structured output. Verification is done with op whoami and vault enumeration with op vault list.

When to Use It

Read a secret from a specific vault to feed an automation workflow
Create a new login item or secure note for a service the team uses
Update an existing secret such as a password or API key
Delete outdated or revoked credentials from a vault
Audit which vaults and items the service account can access

Quick Start

Step 1: Install 1Password CLI and set OP_SERVICE_ACCOUNT_TOKEN in your environment
Step 2: Verify access with op whoami and list vaults with op vault list
Step 3: Manage secrets using op item get/create/edit/delete with --vault and optional --format json

Best Practices

Always set OP_SERVICE_ACCOUNT_TOKEN and avoid printing it or secrets to the console
Use --format json for structured, parsable output
Always specify --vault to scope operations to the correct vault
Cache or batch read operations when possible to respect rate limits
Review permissions on the Service Account to ensure least-privilege access

Example Use Cases

Read a password from a specific item: op read "op://Vault Name/Item Name/password"
Create a new service login: op item create --category login --title "My Service" --vault "Vault Name" username="user" password="pass"
Update a credential: op item edit "Item Name" password="newpassword" --vault "Vault Name"
Delete an obsolete credential: op item delete "Obsolete Item" --vault "Vault Name"
List accessible vaults for the service account: op vault list

Frequently Asked Questions

Add this skill to your agents