Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From 1pass
Use this skill when the user asks about 1Password, secrets management, retrieving credentials, using op CLI, service accounts, secret references, vault operations, or any task involving the 1Password CLI (op). Also use when needing to inject secrets into environment variables, read passwords or API keys from 1Password, or manage 1Password items from the command line.
npx claudepluginhub nsheaps/ai-mktpl --plugin 1passHow this skill is triggered — by the user, by Claude, or both
Slash command
/1pass:opThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
The 1Password CLI (`op`) lets you manage 1Password vaults, items, and secrets
Guides 1Password CLI (op) integration for secret management in dev workflows with .op.env files, Makefile/Docker Compose/Kamal/CI patterns for infrastructure, deployments, local dev.
Manages IT Glue passwords: secure credential storage, categories, folders, embedded credentials, access patterns, audit logging, retrieval, and security best practices in MSP documentation.
Initializes 1Password CLI session for Claude Code, handling token-based and App Integration auth modes. Use when op CLI prompts biometric auth or setting up OP_SESSION token.
Share bugs, ideas, or general feedback.
The 1Password CLI (op) lets you manage 1Password vaults, items, and secrets
from the terminal. It integrates with shell environments to securely inject
secrets without exposing them in plaintext.
# Check sign-in status
op whoami
# Sign in (interactive)
op signin
# Sign in with service account token (CI/automation)
export OP_SERVICE_ACCOUNT_TOKEN="your-token"
op whoami
# List accounts
op account list
| Command | Description |
|---|---|
op item list | List items in a vault |
op item get | Get item details |
op item create | Create a new item |
op item edit | Edit an existing item |
op item delete | Delete an item |
op vault list | List vaults |
op vault get | Get vault details |
op read | Read a secret reference |
op inject | Inject secrets into a template |
op run | Run a command with secrets injected |
op whoami | Show current user/account |
op document get | Download a document |
1Password secret references use the format:
op://vault-name/item-name/field-name
# Read a single secret
op read "op://Private/My API Key/credential"
# Read a password
op read "op://Private/My Login/password"
# Read a specific section field
op read "op://Private/Server Config/database/connection_string"
# Run a command with secrets injected from env template
export DB_PASSWORD="op://Private/Database/password"
export API_KEY="op://Private/API Key/credential"
op run -- my-command
# Run with env file
op run --env-file .env -- my-command
# Inject secrets into a template file
op inject -i config.template.yaml -o config.yaml
# Template syntax in files:
# database:
# password: {{ op://Private/Database/password }}
# List all items
op item list
# List items in a specific vault
op item list --vault "Private"
# List with format
op item list --format json
# Filter by category
op item list --categories "Login"
op item list --categories "API Credential"
op item list --categories "Secure Note"
# Filter by tag
op item list --tags "production"
# Get full item details
op item get "My Login" --vault "Private"
# Get specific field
op item get "My Login" --fields "password"
# Get as JSON
op item get "My Login" --format json
# Get by UUID
op item get "abc123def456"
# Get OTP code
op item get "My Login" --otp
# Create a login
op item create --category login \
--title "New Service" \
--vault "Private" \
--url "https://example.com" \
username="admin" \
password="secret123"
# Create an API credential
op item create --category "API Credential" \
--title "Service API Key" \
--vault "Private" \
credential="sk-abc123"
# Create a secure note
op item create --category "Secure Note" \
--title "Important Note" \
--vault "Private" \
notesPlain="This is the note content"
# Generate a random password for new item
op item create --category login \
--title "New Account" \
--generate-password="20,letters,digits,symbols"
# Edit a field
op item edit "My Login" --vault "Private" \
password="new-password"
# Add a tag
op item edit "My Login" --tags "production,critical"
# List vaults
op vault list
# Get vault details
op vault get "Private"
# Create a vault
op vault create "Team Secrets"
# List vault permissions
op vault user list "Private"
Service accounts are used for CI/CD and automation:
# Set the token
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
# Use op normally — it auto-authenticates
op read "op://vault/item/field"
op run -- my-command
Service account limitations:
# .env file with secret references
# DATABASE_URL=op://Private/DB/connection_string
# API_KEY=op://Private/API/credential
op run --env-file .env -- docker compose up
#!/bin/bash
DB_PASS=$(op read "op://Private/Database/password")
API_KEY=$(op read "op://Private/API Key/credential")
curl -H "Authorization: Bearer $API_KEY" https://api.example.com
# Generate a random password
op item create --category password --generate-password
# Custom password recipe
op item create --category password \
--generate-password="30,letters,digits,symbols"
This plugin supports configuration via plugins.settings.yaml:
1pass:
enabled: true
autoInstall: false # Download op if not on PATH
installToProject: true # Install to $project/bin/.local
backgroundInstall: false # Install in background
opVersion: "latest" # Specific op version or "latest"
installOpExec: false # Also install op-exec
opExecVersion: "latest" # Specific op-exec version
# Expose entire 1Password items as environment variables
opExec:
items:
- "op://MyVault/ENVIRONMENT"
targets:
- sessionStartBashEnv # → CLAUDE_ENV_FILE (session-scoped, bash only)
- userSettings # → ~/.claude/settings.local.json (persistent, all tools)
# Note: recursive resolution of op:// references is always on (op-exec built-in)
Place in:
$CLAUDE_PROJECT_DIR/.claude/plugins.settings.yaml (project-level)~/.claude/plugins.settings.yaml (user-level)The opExec.targets array controls where resolved env vars are written:
| Target | Where | Scope | Persistence |
|---|---|---|---|
sessionStartBashEnv | CLAUDE_ENV_FILE | Bash tools only | Session only |
userSettings | ~/.claude/settings.local.json .env | All tools | Across sessions |
Both targets are enabled by default, ensuring env vars reach all tool types.
| Variable | Description |
|---|---|
OP_SERVICE_ACCOUNT_TOKEN | Service account token for authentication |
OP_CONNECT_HOST | 1Password Connect server URL |
OP_CONNECT_TOKEN | 1Password Connect API token |
OP_ACCOUNT | Default account shorthand |
OP_VAULT | Default vault |
Ensure op is installed. This plugin auto-installs to $CLAUDE_PROJECT_DIR/bin/.local/op
when autoInstall: true. Alternatively, install via mise:
# mise.toml
[tools]
"vfox:mise-plugins/vfox-1password" = "latest"
# Verify sign-in
op whoami
# Re-authenticate
op signin
# Check service account token
echo $OP_SERVICE_ACCOUNT_TOKEN | head -c 10
In CI/web sessions, use a service account token:
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."