Skills Guide

1Password Secrets Management

VerifiedCaution

Enables management of 1Password secrets via the op CLI, using service account authentication. Use it to list vaults and items, retrieve passwords, OTP codes, and API keys, or read specific secret fields. Ideal for securely accessing credentials during development or automation workflows.

Sby Skills Guide Bot
SecurityIntermediate
1006/2/2026
Claude Code
#1password#secrets#cli#password-manager

Recommended for

Claude Code

Our review

Allows an AI agent to retrieve and manage secrets from 1Password using the op CLI.

Strengths

  • Uses service account authentication for secure access
  • Supports listing, reading, and generating OTP codes
  • Provides structured JSON output for programmatic use

Limitations

  • Requires the op CLI to be installed and configured with a service account
  • All commands must specify the vault explicitly
  • Cannot create or modify secrets, only read
When to use it

When you need to retrieve passwords, API keys, or OTP codes stored in 1Password during a development or troubleshooting session.

When not to use it

When you need to write or update secrets, or when no 1Password service account is available.

Security analysis

Caution
Quality score90/100

The skill legitimately manages secrets via the 1Password CLI, but its use of Bash and ability to output plain-text secrets warrants caution to prevent unintended exposure.

Findings
  • Uses Bash to execute 1Password CLI commands that can expose sensitive secrets in standard output or logs.
  • Does not explicitly implement safeguards to prevent leakage of secrets beyond the requested action.

Examples

List vaults
What vaults are available in my 1Password account?
Get a specific password
Retrieve the password for my AWS account from the 'Personal' vault.
Generate an OTP code
What is the current two-factor authentication code for my GitHub account?

name: op description: Manage 1Password secrets. Use when user wants to list, get, or read passwords, OTP codes, API keys, or other secrets from 1Password. user-invocable: true argument-hint: "[action or natural language request]" allowed-tools: Bash

1Password CLI (op)

Manage secrets in 1Password using the op command. Authenticated via service account.

User Request

$ARGUMENTS

Commands Reference

Important: Service accounts require --vault on every command. Before running any item commands, discover the available vault name first:

op vault list --format=json

Then use the vault name from the response in all subsequent commands.

List Items

# List all items in vault
op item list --vault "VAULT_NAME" --format=json

# Long format (with categories, dates)
op item list --vault "VAULT_NAME" --long --format=json

# Filter by category
op item list --vault "VAULT_NAME" --categories Login --format=json
op item list --vault "VAULT_NAME" --categories "API Credential" --format=json

# Filter by tags
op item list --vault "VAULT_NAME" --tags production --format=json

# Filter favorites only
op item list --vault "VAULT_NAME" --favorite --format=json

Get Item Details

# Full item details
op item get "Item Title" --vault "VAULT_NAME" --format=json

# Get OTP (one-time password / 2FA code)
op item get "Item Title" --vault "VAULT_NAME" --otp

# Get specific fields
op item get "Item Title" --vault "VAULT_NAME" --fields label=username --format=json
op item get "Item Title" --vault "VAULT_NAME" --fields label=password --format=json
op item get "Item Title" --vault "VAULT_NAME" --fields label=username,label=password --format=json

# Get fields by type
op item get "Item Title" --vault "VAULT_NAME" --fields type=CONCEALED --format=json

Read Individual Secret

# Read a specific field value directly
op read "op://VAULT_NAME/Item Title/username"
op read "op://VAULT_NAME/Item Title/password"
op read "op://VAULT_NAME/Item Title/Section Name/field"

List Vaults

op vault list --format=json

JSON Response Structures

op vault list --format=json:

[
  {"id": "abc123...", "name": "My Vault", "content_version": 42}
]

op item list --format=json:

[
  {
    "id": "abc123...",
    "title": "Example Service",
    "version": 1,
    "vault": {"id": "xyz...", "name": "My Vault"},
    "category": "LOGIN",
    "last_edited_by": "...",
    "created_at": "2025-01-01T00:00:00Z",
    "updated_at": "2025-01-02T00:00:00Z",
    "additional_information": "user@example.com",
    "urls": [{"primary": true, "href": "https://example.com"}]
  }
]

op item get --format=json:

{
  "id": "abc123...",
  "title": "Example Service",
  "category": "LOGIN",
  "vault": {"id": "xyz...", "name": "My Vault"},
  "fields": [
    {
      "id": "username",
      "type": "STRING",
      "purpose": "USERNAME",
      "label": "email",
      "value": "user@example.com",
      "reference": "op://My Vault/Example Service/email"
    },
    {
      "id": "password",
      "type": "CONCEALED",
      "purpose": "PASSWORD",
      "label": "password",
      "value": "secret_value",
      "reference": "op://My Vault/Example Service/password"
    },
    {
      "id": "TOTP_xxx",
      "type": "OTP",
      "label": "one-time password",
      "value": "otpauth://totp/...",
      "totp": "123456"
    }
  ],
  "urls": [{"primary": true, "href": "https://example.com"}]
}

op item get --otp: Returns just the 6-digit TOTP code as plain text (e.g., 182448).

op item get --fields --format=json:

[
  {"id": "username", "type": "STRING", "label": "email", "value": "user@example.com"},
  {"id": "password", "type": "CONCEALED", "label": "password", "value": "secret_value"}
]

Important Notes

  • Service account requires --vault — always discover vault name via op vault list first, then use it in all commands
  • --otp returns plain text — do not combine with --format=json
  • OTP field in JSON — when getting full item, the current TOTP code is in the totp key of OTP-type fields
  • Categories: Login, Password, API Credential, Secure Note, Database, SSH Key, Credit Card, Identity, Document, Server, Software License

Instructions

  1. Parse the user's natural language request to determine what they need
  2. First, run op vault list --format=json to discover the available vault name(s)
  3. Determine the appropriate op command, using the discovered vault name
  4. Always use --format=json except for --otp (which returns plain text)
  5. Execute the command via Bash
  6. Parse the JSON response and present results clearly to the user
  7. For OTP requests, just return the code prominently
  8. For credential requests, format as a clear key-value list
  9. Never log or echo secrets unnecessarily — only show what was requested

If the request is ambiguous, ask for clarification.

Related skills

Security Audit Scanner

Premium

Security

Analyzes code to detect OWASP Top 10 vulnerabilities.

Claude Codeadvanced
210
87
906
Admin

OWASP Security Checklist

Security

Generates application security checklists based on the OWASP Top 10.

claudeCursorWindsurfintermediate
148
41
440
Admin

Threat Model Generator

Security

Generates threat model documents with STRIDE analysis.

claudeCursoradvanced
78
23
289
Admin