Configures 1Password CLI with direnv for fast, secure credential loading. Activates for: 1Password + direnv setup, slow secrets (>2 sec), .env.op files, op:// references, AWS credentials via env vars, --reveal flag issues, repeated biometric prompts, creating 1Password items programmatically, op item get errors. Not for: 1Password GUI usage, SSH keys (use 1Password SSH agent).
/plugin marketplace add clearfunction/claude-skills/plugin install cf-devtools@cf-devtoolsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Secure credential management using 1Password CLI with zero plaintext secrets on disk.
| Use Case | Approach | Details |
|---|---|---|
| All secrets (AWS, DB, APIs) | direnv + op run | Core Pattern |
| CI/CD automation | Service account token | Session Management |
| Creating items for users | op item create | Programmatic Creation |
Key insight: Secrets load once on cd and all subprocesses inherit them (standard Unix fork() behavior). One op call, no re-fetching.
Use op run --env-file NOT multiple op read calls.
| Approach | CLI Invocations | Load Time |
|---|---|---|
Multiple op read | N per secret | ~5 seconds |
Single op run | 1 | ~1 second |
1. .env.op (safe to commit - contains only op:// references):
AWS_ACCESS_KEY_ID="op://Vault/Item/Access Key ID"
AWS_SECRET_ACCESS_KEY="op://Vault/Item/Secret Access Key"
DB_PASSWORD="op://Vault/Item/password"
2. .envrc (safe to commit - no secrets, just loader command):
direnv_load op run --env-file=.env.op --no-masking \
--account=yourcompany.1password.com -- direnv dump
3. Enable: direnv allow
Add to ~/.config/direnv/direnvrc:
use_1password() {
local env_file="${1:-.env.op}" account="${2:-yourcompany.1password.com}"
[[ -f "$env_file" ]] && direnv_load op run --env-file="$env_file" \
--no-masking --account="$account" -- direnv dump
}
Then .envrc becomes: use 1password
Concealed fields require --reveal to get actual values.
# WRONG - returns placeholder text, NOT the secret!
op item get "Item" --fields "Secret Access Key"
# Output: [use 'op item get xxx --reveal' to reveal]
# CORRECT - returns actual secret value
op item get "Item" --fields "Secret Access Key" --reveal
Common symptom: SignatureDoesNotMatch errors from AWS indicate the secret wasn't retrieved properly.
| Scenario | Solution | Prompts |
|---|---|---|
| Dev entering project | direnv + op run | 1 on directory entry |
| CI/CD pipeline | OP_SERVICE_ACCOUNT_TOKEN | 0 |
Key insight: Sessions last 10 minutes with auto-refresh on each use. Keep 1Password desktop app unlocked and integrated with CLI.
Detailed strategies: references/session-management.md
op account list # Find accounts
op vault list --account mycompany.1password.com # Find vaults
op item list --account mycompany.1password.com # Find items
Full reference: references/discovery-commands.md - field inspection, search patterns, debugging
For Claude Code workflows where Claude sets up infrastructure without handling raw secrets:
# Create item with placeholder values
op item create --category "API Credential" \
--title "AWS Service-Name" \
--vault "Private" \
--account mycompany.1password.com \
"Access Key ID[text]=REPLACE_ME" \
"Secret Access Key[concealed]=REPLACE_ME"
User populates via 1Password app, then Claude continues with configuration.
Full pattern: references/programmatic-item-creation.md
| File | Safe? | Why |
|---|---|---|
.env.op | Yes | Contains only op:// pointers |
.envrc | Yes | No secrets - just loader command delegating to .env.op |
.env | Never | Contains actual secrets |
The account name (e.g.,
yourcompany.1password.com) isn't sensitive - it's just an identifier. For team projects, everyone uses the same account anyway.
| Error | Fix |
|---|---|
SignatureDoesNotMatch (AWS) | Add --reveal for concealed fields |
op: command not found | brew install --cask 1password-cli |
could not find item | Names are case-sensitive; verify exact name |
Full troubleshooting: references/session-management.md#troubleshooting-excessive-prompts
# Install 1Password CLI (v2.18.0+ for service accounts)
brew install --cask 1password-cli
# Install direnv (for env var approach)
brew install direnv
echo 'eval "$(direnv hook zsh)"' >> ~/.zshrc
# Sign in and integrate with desktop app
op signin --account=yourcompany.1password.com
# Verify integration
op whoami
Required: 1Password desktop app with CLI integration enabled (Settings → Developer → CLI Integration).
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.