LetsBeBiz-Redesign/openclaw/skills/1password/SKILL.md

---
name: 1password
description: Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
homepage: https://developer.1password.com/docs/cli/get-started/
metadata:
  {
    "openclaw":
      {
        "emoji": "🔐",
        "requires": { "bins": ["op"] },
        "install":
          [
            {
              "id": "brew",
              "kind": "brew",
              "formula": "1password-cli",
              "bins": ["op"],
              "label": "Install 1Password CLI (brew)",
            },
          ],
      },
  }
---

# 1Password CLI

Follow the official CLI get-started steps. Don't guess install commands.

## References

- `references/get-started.md` (install + app integration + sign-in flow)
- `references/cli-examples.md` (real `op` examples)

## Workflow

1. Check OS + shell.
2. Verify CLI present: `op --version`.
3. Confirm desktop app integration is enabled (per get-started) and the app is unlocked.
4. REQUIRED: create a fresh tmux session for all `op` commands (no direct `op` calls outside tmux).
5. Sign in / authorize inside tmux: `op signin` (expect app prompt).
6. Verify access inside tmux: `op whoami` (must succeed before any secret read).
7. If multiple accounts: use `--account` or `OP_ACCOUNT`.

## REQUIRED tmux session (T-Max)

The shell tool uses a fresh TTY per command. To avoid re-prompts and failures, always run `op` inside a dedicated tmux session with a fresh socket/session name.

Example (see `tmux` skill for socket conventions, do not reuse old session names):

```bash
SOCKET_DIR="${OPENCLAW_TMUX_SOCKET_DIR:-${CLAWDBOT_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/openclaw-tmux-sockets}}"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/openclaw-op.sock"
SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"

tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op signin --account my.1password.com" Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op vault list" Enter
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200
tmux -S "$SOCKET" kill-session -t "$SESSION"
```

## Guardrails

- Never paste secrets into logs, chat, or code.
- Prefer `op run` / `op inject` over writing secrets to disk.
- If sign-in without app integration is needed, use `op account add`.
- If a command returns "account is not signed in", re-run `op signin` inside tmux and authorize in the app.
- Do not run `op` outside tmux; stop and ask if tmux is unavailable.
Include full contents of all nested repositories Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 16:25:02 +01:00			`---`
			`name: 1password`
			`description: Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.`
			`homepage: https://developer.1password.com/docs/cli/get-started/`
			`metadata:`
			`{`
			`"openclaw":`
			`{`
			`"emoji": "🔐",`
			`"requires": { "bins": ["op"] },`
			`"install":`
			`[`
			`{`
			`"id": "brew",`
			`"kind": "brew",`
			`"formula": "1password-cli",`
			`"bins": ["op"],`
			`"label": "Install 1Password CLI (brew)",`
			`},`
			`],`
			`},`
			`}`
			`---`

			`# 1Password CLI`

			`Follow the official CLI get-started steps. Don't guess install commands.`

			`## References`

			- `references/get-started.md` (install + app integration + sign-in flow)
			- `references/cli-examples.md` (real `op` examples)

			`## Workflow`

			`1. Check OS + shell.`
			2. Verify CLI present: `op --version`.
			`3. Confirm desktop app integration is enabled (per get-started) and the app is unlocked.`
			4. REQUIRED: create a fresh tmux session for all `op` commands (no direct `op` calls outside tmux).
			5. Sign in / authorize inside tmux: `op signin` (expect app prompt).
			6. Verify access inside tmux: `op whoami` (must succeed before any secret read).
			7. If multiple accounts: use `--account` or `OP_ACCOUNT`.

			`## REQUIRED tmux session (T-Max)`

			The shell tool uses a fresh TTY per command. To avoid re-prompts and failures, always run `op` inside a dedicated tmux session with a fresh socket/session name.

			Example (see `tmux` skill for socket conventions, do not reuse old session names):

			```bash
			`SOCKET_DIR="${OPENCLAW_TMUX_SOCKET_DIR:-${CLAWDBOT_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/openclaw-tmux-sockets}}"`
			`mkdir -p "$SOCKET_DIR"`
			`SOCKET="$SOCKET_DIR/openclaw-op.sock"`
			`SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"`

			`tmux -S "$SOCKET" new -d -s "$SESSION" -n shell`
			`tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op signin --account my.1password.com" Enter`
			`tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter`
			`tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op vault list" Enter`
			`tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200`
			`tmux -S "$SOCKET" kill-session -t "$SESSION"`
			```

			`## Guardrails`

			`- Never paste secrets into logs, chat, or code.`
			- Prefer `op run` / `op inject` over writing secrets to disk.
			- If sign-in without app integration is needed, use `op account add`.
			- If a command returns "account is not signed in", re-run `op signin` inside tmux and authorize in the app.
			- Do not run `op` outside tmux; stop and ask if tmux is unavailable.