From 1pass
Use this skill when the user asks about op-exec, running commands with 1Password secrets injected, wrapping processes with secret injection, automating secret-aware command execution, or configuring whole-item environment injection with multiple output targets. op-exec is a wrapper around the 1Password CLI that simplifies running commands with secrets from 1Password vaults.
npx claudepluginhub nsheaps/ai-mktpl --plugin 1passThis skill uses the workspace's default tool permissions.
`op-exec` (from [nsheaps/op-exec](https://github.com/nsheaps/op-exec)) is a
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.
op-exec (from nsheaps/op-exec) is a
convenience wrapper around op run that simplifies injecting 1Password secrets
into command execution.
op-exec fetches all STRING and CONCEALED fields from a 1Password item, converts
field labels to environment variable names (UPPER_SNAKE_CASE), recursively
resolves any op:// references in field values (max depth 5), and either
exports them for a command or prints export statements for sourcing.
# mise.toml
[tools]
"github:nsheaps/op-exec" = "latest"
brew install nsheaps/tap/op-exec
curl -fsSL "https://github.com/nsheaps/op-exec/releases/download/v${VERSION}/op-exec-linux-amd64" -o op-exec
chmod +x op-exec
# Run a command with all fields from a 1Password item as env vars
op-exec op://vault/item -- command [args...]
# Print export statements (for sourcing or debugging)
op-exec op://vault/item
# Source into current shell
eval "$(op-exec op://vault/item)"
op) must be installed and authenticatedOP_SERVICE_ACCOUNT_TOKEN# All fields from the ENVIRONMENT item become env vars
# e.g. field "API Key" → API_KEY, field "Database URL" → DATABASE_URL
op-exec op://MyVault/ENVIRONMENT -- npm start
op-exec op://Development/my-app-config -- ./deploy.sh
op-exec op://Work/docker-secrets -- docker compose up
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
op-exec op://Automation/deploy-config -- ./ci-script.sh
Field values that are themselves op:// references are resolved automatically:
# Item "ENVIRONMENT" in vault "MyVault":
# API_KEY = op://MyVault/api-credentials/key ← resolved recursively
# DB_HOST = prod.db.example.com ← used as-is
The 1pass plugin can automatically run op-exec at session start and write
the resolved environment variables to multiple targets.
1pass:
installOpExec: true
opExecVersion: "latest"
opExec:
# 1Password items to expose as environment variables
items:
- "op://MyVault/ENVIRONMENT"
- "op://MyVault/extra-secrets"
# Where to write the resolved env vars (multiple allowed)
# Defaults to both targets when omitted.
targets:
- sessionStartBashEnv # → CLAUDE_ENV_FILE (session-scoped, bash only)
- userSettings # → ~/.claude/settings.local.json .env (persistent, all tools)
# Note: recursive resolution of op:// references is always on (op-exec built-in)
| Target | Mechanism | Scope | Persistence | Non-Bash tools |
|---|---|---|---|---|
sessionStartBashEnv | CLAUDE_ENV_FILE | Bash tool calls | Session only | No |
userSettings | ~/.claude/settings.local.json .env | All tools | Across sessions | Yes |
Default: Both sessionStartBashEnv and userSettings are enabled when
targets is not specified, ensuring env vars are available to all tools and
also in bash sessions.
Install via mise, Homebrew, or enable auto-install in the plugin settings.
Ensure op is authenticated:
op whoami
Ensure the service account or user has access to the referenced vault.
op-exec only exports STRING and CONCEALED field types. Other field types (sections, OTP, etc.) are skipped. Verify the item has the expected fields:
op item get "ENVIRONMENT" --vault "MyVault" --format json | jq '.fields[] | {label, type}'