1Password — OpenClaw Skill

What This Skill Does

The 1Password skill gives your OpenClaw agent secure access to your password vaults through the official 1Password CLI (op). Instead of pasting API keys, database passwords, or tokens directly into chat (where they could end up in logs), the agent uses op run and op inject to pass secrets directly to processes as environment variables or inject them into configuration files at runtime. Secrets never appear in chat output, logs, or written files.

The skill handles the complete authentication workflow: it creates a dedicated tmux session (required because OpenClaw's shell tool uses a fresh TTY per command), signs in through the 1Password desktop app integration (biometric unlock), verifies access with op whoami, and then executes secret-reading operations within that persistent session. This approach keeps your authentication state stable across multiple commands.

Multi-account support is built in -- you can use the --account flag or OP_ACCOUNT environment variable to specify which 1Password account to use. The skill follows strict security guardrails: it never pastes secrets into logs, chat, or code, and it prefers op run / op inject over writing secrets to disk. This makes it ideal for securely provisioning environment variables, populating config files, and running authenticated scripts. Learn more about our security practices.

Example Prompts

Use 1Password to get my Stripe API secret key and set it as an environment variable, then run the payment test suite

List all items in my "Development" vault and tell me which credentials were last updated more than 90 days ago

Inject the database connection string from 1Password into the .env file for my local development setup, without showing me the actual value

Sign into my work 1Password account and list all available vaults

Use op run to start the staging server with the production database credentials from 1Password, keeping the secrets out of the process list

Check which of my API keys in the "Integrations" vault are about to expire and create a summary

Requirements

Binary dependency: op (1Password CLI)

• macOS: brew install 1password-cli
• 1Password desktop app: Recommended for biometric-based sign-in integration
• tmux: Required for maintaining authentication state across commands
• Account: A 1Password account (Individual, Families, Teams, or Business)

Setup on KiwiClaw

This skill is pre-installed and configured on all KiwiClaw plans. The op CLI and tmux are available on every tenant machine. Sign in through the dashboard to connect your 1Password account, and the agent can securely access your vaults. No manual CLI installation needed.

Setup Self-Hosted

1. Install the 1Password CLI: brew install 1password-cli
2. Enable desktop app integration in 1Password Settings (Developer section)
3. Verify: op --version should show the installed version
4. Sign in: op signin (the desktop app will prompt for biometric authentication)
5. Verify access: op whoami should show your account details
6. Ensure tmux is installed for persistent authentication sessions

Related Skills

• GitHub -- securely inject deploy keys and tokens for CI/CD
• Coding Agent -- run coding agents with secrets injected via op run
• Notion -- securely store and retrieve your Notion API key
• Slack -- manage Slack bot tokens securely through 1Password

FAQ

How does the 1Password skill keep secrets safe?

The skill uses op run and op inject to pass secrets directly to processes as environment variables or inject them into config files at runtime. Secrets are never pasted into chat, logged to output, or written to disk. The agent operates within a tmux session for secure authentication.

Does the 1Password skill require the desktop app?

The desktop app integration is recommended for the smoothest sign-in experience. When enabled, the CLI authenticates through the desktop app (biometric unlock). Without it, you can use op account add for standalone CLI authentication.

Can the 1Password skill work with multiple accounts?

Yes. The skill supports multiple 1Password accounts. Use the --account flag or OP_ACCOUNT environment variable to specify which account to use for each operation.

Why does the 1Password skill use tmux?

OpenClaw's shell tool uses a fresh TTY per command, which causes re-authentication prompts for op. Running op inside a dedicated tmux session maintains the authentication state across multiple commands, avoiding repeated sign-in prompts.