secrets-1password
SKILL.md
1Password Developer CLI Skill
This skill provides workflows and helper scripts for managing secrets through the 1Password Developer CLI (op).
Quick Start Onboarding
Step 1: Install 1Password CLI
macOS (Homebrew):
brew install --cask 1password-cli
macOS (Direct Download):
curl -sS https://downloads.1password.com/mac/op-arm64/pkg/op_darwin_arm64_v2.30.0.pkg -o op.pkg
sudo installer -pkg op.pkg -target /
rm op.pkg
Linux:
curl -sS https://downloads.1password.com/linux/op-arm64-v2.30.0.zip -o op.zip
unzip -d op op.zip
sudo mv op/op /usr/local/bin/
rm -rf op op.zip
Verify installation:
op --version
Step 2: Authenticate
Interactive Login (Personal/Team Account):
op account add
op signin
Service Account (Automation):
export OP_SERVICE_ACCOUNT_TOKEN="your-service-account-token"
To create a service account:
- Go to 1Password.com → Settings → Developer → Service Accounts
- Create new service account with appropriate vault access
- Save the token securely
Verify authentication:
op account list
Step 3: Verify Setup
Run the check script to confirm everything is working:
python3 scripts/op_check.py
Expected output:
✅ 1Password CLI installed: v2.30.0
✅ Authenticated as: user@example.com
✅ Vaults accessible: 3
Core Operations
List Vaults and Items
# List all accessible vaults
python3 scripts/op_list.py --vaults
# List items in a vault
python3 scripts/op_list.py --items --vault "Development"
# List items with category filter
python3 scripts/op_list.py --items --vault "Development" --category login
Create Secrets
# Create a password/credential
python3 scripts/op_create.py \
--vault "Development" \
--title "API Key - OpenAI" \
--category password \
--password "sk-abc123..."
# Create a login with username/password
python3 scripts/op_create.py \
--vault "Development" \
--title "GitHub Account" \
--category login \
--username "myuser" \
--password "mypassword" \
--url "https://github.com"
# Create with custom fields
python3 scripts/op_create.py \
--vault "Development" \
--title "Database Credentials" \
--category password \
--field "host=db.example.com" \
--field "port=5432" \
--field "database=production"
Read Secrets
# Get full item as JSON
python3 scripts/op_read.py --vault "Development" --item "API Key - OpenAI"
# Get specific field value only
python3 scripts/op_read.py --vault "Development" --item "API Key - OpenAI" --field password
# Get item by ID
python3 scripts/op_read.py --id "abc123xyz"
Update Secrets
# Update password field
python3 scripts/op_update.py \
--vault "Development" \
--item "API Key - OpenAI" \
--password "sk-new-key..."
# Update custom field
python3 scripts/op_update.py \
--vault "Development" \
--item "Database Credentials" \
--field "host=new-db.example.com"
# Add new field to existing item
python3 scripts/op_update.py \
--vault "Development" \
--item "Database Credentials" \
--field "replica_host=replica.example.com"
Delete Secrets
# Delete item (moves to trash)
python3 scripts/op_delete.py --vault "Development" --item "Old API Key"
# Delete permanently (requires --force)
python3 scripts/op_delete.py --vault "Development" --item "Old API Key" --force
# Delete by ID
python3 scripts/op_delete.py --id "abc123xyz"
Run Commands with Injected Secrets
The most powerful feature: inject secrets into any command without exposing them in plaintext.
# Run command with secrets from .env template
python3 scripts/op_run.py --env-file .env.tpl -- npm start
# Run with inline secret reference
python3 scripts/op_run.py \
--secret "API_KEY=op://Development/OpenAI/password" \
-- curl -H "Authorization: Bearer \$API_KEY" https://api.example.com
# Multiple secrets
python3 scripts/op_run.py \
--secret "DB_HOST=op://Development/Database/host" \
--secret "DB_PASS=op://Development/Database/password" \
-- python migrate.py
.env.tpl template format:
DATABASE_URL=op://Development/Database/url
API_KEY=op://Development/OpenAI/password
SECRET_KEY=op://Development/App/secret
Secret Reference Syntax
1Password uses URI-style references to identify secrets:
op://vault-name/item-name/field-name
Examples:
op://Development/OpenAI API Key/password
op://Production/Database/username
op://Shared/AWS/access-key-id
op://Personal/GitHub Token/credential
Field names for common categories:
| Category | Common Fields |
|---|---|
| Login | username, password, url |
| Password | password |
| API Credential | credential, username |
| Database | username, password, hostname, port, database |
| SSH Key | private_key, public_key |
Security Best Practices
- Never log secrets - Scripts output metadata only, never secret values directly
- Use service accounts - For CI/CD and automation, create dedicated service accounts with minimal vault access
- Prefer
op run- Inject secrets at runtime rather than exporting to environment - Rotate regularly - Use 1Password's built-in rotation features for credentials
- Audit access - Review service account usage in 1Password admin console
Item Categories
| Category | Use Case |
|---|---|
login |
Website/service credentials with username, password, URL |
password |
Simple password or API key |
secure-note |
Text notes, configuration snippets |
credit-card |
Payment cards |
identity |
Personal information |
document |
File attachments |
database |
Database connection credentials |
api-credential |
API keys and tokens |
ssh-key |
SSH key pairs |
Troubleshooting
"not signed in"
# Re-authenticate
op signin
# Or check service account token
echo $OP_SERVICE_ACCOUNT_TOKEN
"vault not found"
# List available vaults
op vault list
# Check vault name (case-sensitive)
op vault get "Vault Name"
"item not found"
# Search for item
op item list --vault "Vault" | grep -i "search term"
# List all items in vault
op item list --vault "Vault"
Permission denied
Service accounts need explicit vault access:
- Go to 1Password.com → Settings → Developer → Service Accounts
- Edit the service account
- Add vault access with appropriate permissions (read/write)
Script Reference
All scripts are in the scripts/ directory and output JSON by default.
| Script | Purpose |
|---|---|
op_check.py |
Verify CLI installation and authentication |
op_list.py |
List vaults and items |
op_create.py |
Create new secrets |
op_read.py |
Read/retrieve secrets |
op_update.py |
Update existing secrets |
op_delete.py |
Delete items |
op_run.py |
Execute commands with injected secrets |
For detailed CLI command syntax, see references/cli_reference.md.
Weekly Installs
4
Repository
aussiegingersna…r-skillsGitHub Stars
2
First Seen
8 days ago
Security Audits
Installed on
cursor4
gemini-cli3
github-copilot3
codex3
amp3
cline3