1password-cli
Files
SKILL.mdagentsreferences
Install
Install the containing plugin
/plugin install ci-cd@llm-skills
Invoke this skill after installation
/ci-cd:1password-cli
This skill is bundled inside ci-cd. Install the plugin once, then Claude Code can use any of its included skills. Browse the full plugin repository at github.com/alisonaquinas/llm-ci-dev.
SKILL.md
name: 1password-cli description: Access 1Password secrets and run commands via op CLI. Use when tasks mention 1password-cli, op, 1Password, secret references (op://), op run, or service account tokens.
1Password CLI
Intent Router
| Request | Reference | Load When |
|---|---|---|
| Install, first-time setup, env vars | references/install-and-setup.md | User needs to install op or configure service account tokens |
| CLI commands, item operations | references/command-cookbook.md | User needs signin/item get/list/create/edit/delete/read/run commands |
| Secret references, op run, inject | references/secret-references-and-op-run.md | User asks about op:// syntax, op run, op inject, or .env file injection |
| Service accounts, Connect server | references/service-accounts-and-connect.md | User asks about OP_SERVICE_ACCOUNT_TOKEN, Connect server, or machine auth |
Quick Start
# 1. Install (macOS)
brew install 1password-cli
# 2. Sign in
op signin
# 3. List vaults
op vault list
# 4. Retrieve a secret field
op item get "My App" --vault "Private" --fields password
# 5. Inject secrets into a command via secret references
op run -- env
Core Command Tracks
- Sign in:
op signin,op account list - Read a field:
op read "op://vault/item/field" - Get item:
op item get <name> --vault <vault> --format json - List items:
op item list --vault <vault> - Create/edit/delete:
op item create,op item edit,op item delete - Inject and run:
op run -- <command>,op inject -i template.env - Documents:
op document get <name>
Safety Guardrails
- Never commit
OP_SERVICE_ACCOUNT_TOKENor session tokens to version control; use encrypted CI/CD secret storage. - Scope service accounts to the minimum set of vaults required.
- Prefer
op runorop injectover extracting secrets into shell variables that may appear in logs. - Rotate service account tokens regularly and revoke tokens for decommissioned pipelines.
- Use secret references (
op://vault/item/field) in config files instead of hardcoded values. - Avoid logging the output of
op readorop item getin CI pipelines.
Workflow
- Install
opand authenticate withop signinor setOP_SERVICE_ACCOUNT_TOKEN. - Verify access with
op vault listandop item list. - Use
op read "op://vault/item/field"to retrieve individual field values. - Use
op run -- <command>to inject secrets as environment variables for a single command. - Use
op inject -i .env.tpl -o .envfor file-based secret injection. - In CI/CD, set
OP_SERVICE_ACCOUNT_TOKENas an encrypted secret and useop runin pipeline steps.
# CI service account example: inject secrets without interactive sign-in
export OP_SERVICE_ACCOUNT_TOKEN="ops_eyJzaWduSW5BZGRyZXNzIjoiaHR0cHM..."
op run -- printenv | grep MY_API_KEY
Related Skills
- aws — AWS CLI; combine with 1Password to retrieve AWS credentials at runtime
- ci-architecture — patterns for secret injection using op run in GitHub Actions or GitLab CI
- direnv — using
.envrcwithop runfor local development secret loading - aws-secretsmanager — AWS-native alternative for secrets stored in AWS environments
References
references/install-and-setup.mdreferences/command-cookbook.mdreferences/secret-references-and-op-run.mdreferences/service-accounts-and-connect.md- CLI reference: https://developer.1password.com/docs/cli/reference/
- Service accounts: https://developer.1password.com/docs/service-accounts/