From workflows
Manages 1Password operations using op CLI including authentication, password retrieval, item creation, vault management, and secure credential access. Use when working with passwords, secrets, credentials, API keys, or when user mentions 1Password, op CLI, vaults, or secure storage.
npx claudepluginhub andercore-labs/claudes-kitchen --plugin workflowsThis skill uses the workspace's default tool permissions.
**Login → Read → Create → Share**
Implements structured self-debugging workflow for AI agent failures: capture errors, diagnose patterns like loops or context overflow, apply contained recoveries, and generate introspection reports.
Monitors deployed URLs for regressions in HTTP status, console errors, performance metrics, content, network, and APIs after deploys, merges, or upgrades.
Provides React and Next.js patterns for component composition, compound components, state management, data fetching, performance optimization, forms, routing, and accessible UIs.
Login → Read → Create → Share
eval $(op signin)
op item get "GitHub Token" --fields password
op item create --category=login --title="New Account" --vault="Private" username=user@example.com password=$(op generate --length=32)
op item share "API Key" --emails user@example.com
Passwords | secrets | API keys | credentials | 1Password | op CLI | vaults | secure storage
Authentication:
Not signed in → eval $(op signin) | Already signed in → verify with op whoami
Session expired → eval $(op signin) | MFA required → op signin --account {account}
Item Retrieval:
By name → op item get "{name}" | By ID → op item get {uuid}
Field only → --fields {field} | JSON output → --format json
Multiple fields → --fields label=field1,field2
Item Creation:
Login → --category=login + username + password
API key → --category=api_credential + credential
Secure note → --category=secure_note + notes
Password → --category=password + password
Vault Operations:
List vaults → op vault list | Create vault → op vault create {name}
Default vault → Private | Shared → specify --vault
| Command | Usage | Result |
|---|---|---|
eval $(op signin) | Initial auth | Session token set in env |
op signin --account {account} | Multi-account | Switch account |
op whoami | Verify session | Current user/account |
op signout | End session | Clear token |
Session handling:
op whoami 2>/dev/null || eval $(op signin)
Environment-based:
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
op item get "{name}"
Get password field:
op item get "GitHub Token" --fields password
op item get "Database" --fields username,password
Get full item:
op item get "AWS Credentials" --format json
Filter by vault:
op item get "API Key" --vault "Production"
Get specific field by label:
op item get "Server" --fields label=hostname,label=ssh_key
Get TOTP code:
op item get "GitHub" --otp
Login credentials:
op item create \
--category=login \
--title="GitHub Account" \
--vault="Personal" \
username="user@example.com" \
password=$(op generate --length=32) \
url="https://github.com"
API credential:
op item create \
--category=api_credential \
--title="Stripe API" \
--vault="Production" \
credential="sk_live_..."
Secure note:
op item create \
--category=secure_note \
--title="Server Config" \
--vault="Infrastructure" \
notes="Database connection details..."
Custom fields:
op item create \
--category=login \
--title="Custom Service" \
username="admin" \
password=$(op generate) \
"API Key[text]=key_123" \
"Environment[text]=production"
| Pattern | Command | Output |
|---|---|---|
| Strong (32 chars) | op generate --length=32 | Mixed alphanumeric + symbols |
| Alphanumeric only | op generate --letters --digits | No symbols |
| Custom recipe | op generate --recipe='20,letters,digits' | 20 char letters+digits |
| Pronounceable | op generate --words=4 --separator=- | word-word-word-word |
PASSWORD=$(op generate --length=32)
echo $PASSWORD
Search items:
op item list --categories login
op item list --vault "Production"
op item list --tags "api,production"
Filter by favorites:
op item list --favorite
Search by text:
op item list | grep -i "github"
List all vaults:
op vault list --format json
List vault items:
op item list --vault "Personal" --format json
Update password:
op item edit "GitHub" password=$(op generate --length=32)
Update field:
op item edit "Server" hostname="new-server.com"
Add custom field:
op item edit "API Service" "API Key[text]=new_key_value"
Update URL:
op item edit "Website" url="https://new-url.com"
op item delete "Old Account"
op item delete {item-uuid}
op item delete "Archive Item" --archive # Archive instead
Upload document:
op document create ./contract.pdf --title "Contract 2024" --vault "Legal"
Download document:
op document get "Contract 2024" --output ./contract.pdf
List documents:
op item list --categories document
Create vault:
op vault create "Team Credentials"
Grant access:
op vault user grant --vault "Team Credentials" --user user@example.com
List vault users:
op vault user list --vault "Team Credentials"
Use in scripts:
#!/bin/bash
DB_USER=$(op item get "Database" --fields username)
DB_PASS=$(op item get "Database" --fields password)
DB_HOST=$(op item get "Database" --fields hostname)
psql -h $DB_HOST -U $DB_USER -d mydb
Use in env files:
op inject -i .env.template -o .env
.env.template:
DATABASE_URL=op://Production/Database/connection_string
API_KEY=op://Production/API/credential
Reference syntax:
op://{vault}/{item}/[section/]{field}
Examples:
op://Production/Database/password
op://Personal/GitHub/username
op://Team/API Key/credential
Inject into file:
op inject -i config.yaml -o config.yaml
Inject inline:
curl -H "Authorization: Bearer $(op read op://Production/API/token)" api.example.com
Setup:
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
op item list # No signin required
CI/CD usage:
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
script:
- eval $(op signin)
- op item get "Deploy Key" --fields private_key > deploy_key
Check installation:
op --version
which op
Account management:
op account list
op account add
op account forget {account}
Item operations:
op item get {name} # Full item
op item get {name} --fields password # Specific field
op item create --category=login # New login
op item edit {name} # Update item
op item delete {name} # Remove item
op item share {name} --emails a@b.com # Share item
Vault operations:
op vault list # All vaults
op vault create {name} # New vault
op vault user grant # Grant access
op vault user list --vault {name} # List members
Git credential helper:
git config --global credential.helper "!f() { op item get 'GitHub Token' --fields password; }; f"
SSH key from 1Password:
op item get "SSH Key" --fields private_key > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
AWS credentials:
export AWS_ACCESS_KEY_ID=$(op item get "AWS" --fields access_key_id)
export AWS_SECRET_ACCESS_KEY=$(op item get "AWS" --fields secret_access_key)
Docker registry:
op item get "Docker Hub" --fields password | docker login -u $(op item get "Docker Hub" --fields username) --password-stdin
| Error | Cause | Fix |
|---|---|---|
not signed in | Session expired | eval $(op signin) |
item not found | Wrong name/vault | Verify with op item list |
invalid account | Wrong account | op account list → signin correct account |
401 unauthorized | Invalid token | Refresh token or signin |
vault not found | Wrong vault name | op vault list → verify name |
permission denied | No vault access | Request access from admin |
no items found | Empty result | Check filters/vault |
Debug mode:
op --debug item get "Name" 2>&1 | tee debug.log
Avoid logging secrets:
PASSWORD=$(op item get "DB" --fields password) # ✓
op item get "DB" --fields password # ✗ prints to stdout
Use secret references:
op inject -i .env.template -o .env # ✓
echo "KEY=$(op item get...)" >> .env # ✗ less secure
Clean up temp files:
trap "rm -f /tmp/secret.key" EXIT
op item get "Key" --fields key > /tmp/secret.key
Verify session before batch ops:
op whoami || { echo "Not signed in"; exit 1; }
OP = 1Password CLI (op)
SA = Service Account
SR = Secret Reference (op://...)
| Phase | Action |
|---|---|
| 1. Execute | Perform op operation (signin/get/create) |
| 2. Validate | Review conversation context for workflow compliance |
| 3. Report | ✓ Pass → Done | ✗ Fail → List violations with evidence |
| 4. Fix | Violations found → Correct → Re-run operation |
| 5. Store Metrics | After ALL validation passes, call mcp__agent-orchestrator__store-skill-metrics |
| Operation | Verification |
|---|---|
| Auth | Check op whoami or eval $(op signin) executed |
| Get item | Verify item exists: op item list or successful retrieval |
| Create item | Confirm creation: Check output for item UUID |
| Secure handling | Verify no secrets printed to stdout/logs |
VALIDATION REPORT:
✓ Authentication: eval $(op signin) executed
✓ Item retrieval: op item get "GitHub Token" succeeded
✓ Secure handling: Password stored in variable, not echoed
✓ Vault verified: --vault "Production" specified
ALL CHECKS PASS ✓
VALIDATION REPORT:
✗ FAIL: Session not verified before batch operation
✗ Evidence: No op whoami check before op item list loop
VIOLATIONS (1):
1. Missing session verification
Evidence: Conversation shows op item get without prior auth check
Fix: Add op whoami || eval $(op signin) before operations
ACTION: Add session check and re-validate