secrets-1password
1Password Developer CLI Skill
This skill provides workflows and helper scripts for managing secrets through the 1Password Developer CLI (op).
Quick Start Onboarding
Step 1: Install 1Password CLI
macOS (Homebrew):
brew install --cask 1password-cli
macOS (Direct Download):
curl -sS https://downloads.1password.com/mac/op-arm64/pkg/op_darwin_arm64_v2.30.0.pkg -o op.pkg
sudo installer -pkg op.pkg -target /
rm op.pkg
Linux:
curl -sS https://downloads.1password.com/linux/op-arm64-v2.30.0.zip -o op.zip
unzip -d op op.zip
sudo mv op/op /usr/local/bin/
rm -rf op op.zip
Verify installation:
op --version
Step 2: Authenticate
Interactive Login (Personal/Team Account):
op account add
op signin
Service Account (Automation):
export OP_SERVICE_ACCOUNT_TOKEN="your-service-account-token"
To create a service account:
- Go to 1Password.com → Settings → Developer → Service Accounts
- Create new service account with appropriate vault access
- Save the token securely
Verify authentication:
op account list
Step 3: Verify Setup
Run the check script to confirm everything is working:
python3 scripts/op_check.py
Expected output:
✅ 1Password CLI installed: v2.30.0
✅ Authenticated as: user@example.com
✅ Vaults accessible: 3
Core Operations
List Vaults and Items
# List all accessible vaults
python3 scripts/op_list.py --vaults
# List items in a vault
python3 scripts/op_list.py --items --vault "Development"
# List items with category filter
python3 scripts/op_list.py --items --vault "Development" --category login
Create Secrets
# Create a password/credential
python3 scripts/op_create.py \
--vault "Development" \
--title "API Key - OpenAI" \
--category password \
--password "sk-abc123..."
# Create a login with username/password
python3 scripts/op_create.py \
--vault "Development" \
--title "GitHub Account" \
--category login \
--username "myuser" \
--password "mypassword" \
--url "https://github.com"
# Create with custom fields
python3 scripts/op_create.py \
--vault "Development" \
--title "Database Credentials" \
--category password \
--field "host=db.example.com" \
--field "port=5432" \
--field "database=production"
Read Secrets
# Get full item as JSON
python3 scripts/op_read.py --vault "Development" --item "API Key - OpenAI"
# Get specific field value only
python3 scripts/op_read.py --vault "Development" --item "API Key - OpenAI" --field password
# Get item by ID
python3 scripts/op_read.py --id "abc123xyz"
Update Secrets
# Update password field
python3 scripts/op_update.py \
--vault "Development" \
--item "API Key - OpenAI" \
--password "sk-new-key..."
# Update custom field
python3 scripts/op_update.py \
--vault "Development" \
--item "Database Credentials" \
--field "host=new-db.example.com"
# Add new field to existing item
python3 scripts/op_update.py \
--vault "Development" \
--item "Database Credentials" \
--field "replica_host=replica.example.com"
Delete Secrets
# Delete item (moves to trash)
python3 scripts/op_delete.py --vault "Development" --item "Old API Key"
# Delete permanently (requires --force)
python3 scripts/op_delete.py --vault "Development" --item "Old API Key" --force
# Delete by ID
python3 scripts/op_delete.py --id "abc123xyz"
Run Commands with Injected Secrets
The most powerful feature: inject secrets into any command without exposing them in plaintext.
# Run command with secrets from .env template
python3 scripts/op_run.py --env-file .env.tpl -- npm start
# Run with inline secret reference
python3 scripts/op_run.py \
--secret "API_KEY=op://Development/OpenAI/password" \
-- curl -H "Authorization: Bearer \$API_KEY" https://api.example.com
# Multiple secrets
python3 scripts/op_run.py \
--secret "DB_HOST=op://Development/Database/host" \
--secret "DB_PASS=op://Development/Database/password" \
-- python migrate.py
.env.tpl template format:
DATABASE_URL=op://Development/Database/url
API_KEY=op://Development/OpenAI/password
SECRET_KEY=op://Development/App/secret
Secret Reference Syntax
1Password uses URI-style references to identify secrets:
op://vault-name/item-name/field-name
Examples:
op://Development/OpenAI API Key/password
op://Production/Database/username
op://Shared/AWS/access-key-id
op://Personal/GitHub Token/credential
Field names for common categories:
| Category | Common Fields |
|---|---|
| Login | username, password, url |
| Password | password |
| API Credential | credential, username |
| Database | username, password, hostname, port, database |
| SSH Key | private_key, public_key |
Security Best Practices
- Never log secrets - Scripts output metadata only, never secret values directly
- Use service accounts - For CI/CD and automation, create dedicated service accounts with minimal vault access
- Prefer
op run- Inject secrets at runtime rather than exporting to environment - Rotate regularly - Use 1Password's built-in rotation features for credentials
- Audit access - Review service account usage in 1Password admin console
Item Categories
| Category | Use Case |
|---|---|
login |
Website/service credentials with username, password, URL |
password |
Simple password or API key |
secure-note |
Text notes, configuration snippets |
credit-card |
Payment cards |
identity |
Personal information |
document |
File attachments |
database |
Database connection credentials |
api-credential |
API keys and tokens |
ssh-key |
SSH key pairs |
Troubleshooting
"not signed in"
# Re-authenticate
op signin
# Or check service account token
echo $OP_SERVICE_ACCOUNT_TOKEN
"vault not found"
# List available vaults
op vault list
# Check vault name (case-sensitive)
op vault get "Vault Name"
"item not found"
# Search for item
op item list --vault "Vault" | grep -i "search term"
# List all items in vault
op item list --vault "Vault"
Permission denied
Service accounts need explicit vault access:
- Go to 1Password.com → Settings → Developer → Service Accounts
- Edit the service account
- Add vault access with appropriate permissions (read/write)
Script Reference
All scripts are in the scripts/ directory and output JSON by default.
| Script | Purpose |
|---|---|
op_check.py |
Verify CLI installation and authentication |
op_list.py |
List vaults and items |
op_create.py |
Create new secrets |
op_read.py |
Read/retrieve secrets |
op_update.py |
Update existing secrets |
op_delete.py |
Delete items |
op_run.py |
Execute commands with injected secrets |
For detailed CLI command syntax, see references/cli_reference.md.
More from aussiegingersnap/cursor-skills
api-rest
REST API conventions for Next.js App Router with Zod validation and standardized error handling. This skill should be used when creating API routes, implementing CRUD operations, or establishing API patterns for a project.
12ui-design-system
Complete design system with principles + living style guide. Enforces precise, crafted UI inspired by Linear, Notion, and Stripe. Includes boilerplate style-guide page template for Next.js/React projects. Use when building any UI that needs Jony Ive-level precision.
11tools-repo-review
Comprehensive GitHub repository analysis for engineering managers with contribution stats, code quality review, team health metrics, and actionable management outputs
10ui-principles
Enforce a precise, minimal design system inspired by Linear, Notion, and Stripe. Use this skill when building dashboards, admin interfaces, or any UI that needs Jony Ive-level precision - clean, modern, minimalist with taste. Every pixel matters.
9ui-shadcn-studio
shadcn/studio component library with MCP integration, theme generation, and block patterns. This skill should be used when building UI with shadcn components, selecting dashboard layouts, or generating landing pages. Canonical source for all shadcn-based work.
8db-postgres
PostgreSQL database management with Drizzle ORM, versioned migrations, and type-safe queries. This skill should be used when setting up a new database, writing migrations, managing schemas, or troubleshooting database issues in PostgreSQL projects.
8