bitwarden-cli
Files
SKILL.mdagentsreferences
Install
Install the containing plugin
/plugin install ci-cd@llm-skills
Invoke this skill after installation
/ci-cd:bitwarden-cli
This skill is bundled inside ci-cd. Install the plugin once, then Claude Code can use any of its included skills. Browse the full plugin repository at github.com/alisonaquinas/llm-ci-dev.
SKILL.md
name: bitwarden-cli description: Access and manage Bitwarden vault items via the bw CLI. Use when tasks mention bitwarden-cli, bw, Bitwarden vault, BW_SESSION, or managing passwords with Bitwarden.
Bitwarden CLI
Intent Router
| Request | Reference | Load When |
|---|---|---|
| Install, first-time setup, env vars | references/install-and-setup.md | User needs to install bw or configure server/session |
| CLI commands, get/list/create items | references/command-cookbook.md | User needs login/unlock/sync/get/list/create/edit/delete commands |
| Session lifecycle, API key auth | references/auth-and-session.md | User asks about BW_SESSION, API key auth, or scripted/CI auth |
| Item types, filtering, export | references/item-operations-and-filtering.md | User asks about item types, search filters, JSON templates, or bulk export |
Quick Start
# 1. Install (npm)
npm install -g @bitwarden/cli
# 2. Log in and unlock — capture the session key
export BW_SESSION=$(bw login --raw)
# Or if already logged in:
export BW_SESSION=$(bw unlock --raw)
# 3. Sync vault
bw sync
# 4. Retrieve a password
bw get password "My App Login"
Core Command Tracks
- Login/logout:
bw login,bw logout - Unlock and session:
bw unlock --raw→ exportBW_SESSION - Sync vault:
bw sync - Get item:
bw get item <id-or-name>,bw get password <id>,bw get notes <id> - List items:
bw list items --search <term> - Create/edit/delete:
bw create item,bw edit item <id>,bw delete item <id> - Session flag:
bw get item <id> --session $BW_SESSION
Safety Guardrails
- Never store
BW_SESSIONor master password in plaintext files or version control. - Session keys expire — regenerate with
bw unlock --rawfor each pipeline run. - Use API key authentication (
BW_CLIENTID/BW_CLIENTSECRET) for headless CI/CD; store keys as encrypted secrets. - Prefer
bw get passwordoverbw get itemwhen only the password field is needed to limit data exposure. - Run
bw lockafter automated operations to clear the session from memory. - Grant collection access at the minimum scope required for each service account.
Workflow
- Install
bwand runbw config server <url>for self-hosted instances. - Authenticate with
bw login(interactive) or API key (headless). - Unlock the vault with
bw unlock --rawand capture the session key. - Run
bw syncto pull the latest vault state. - Use
bw getorbw listto retrieve secrets. - Run
bw lockwhen finished.
# Headless API key auth pattern for CI (no interactive prompt)
export BW_CLIENTID="user.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
export BW_CLIENTSECRET="XXXXXXXXXXXXXXXXXXXXXXXX"
bw login --apikey
export BW_SESSION=$(bw unlock --passwordenv BW_CLIENTSECRET --raw)
bw get password "My CI Token"
Related Skills
- ci-architecture — patterns for injecting secrets from Bitwarden into pipeline jobs
- direnv — using
.envrcto populate environment variables from Bitwarden sessions
References
references/install-and-setup.mdreferences/command-cookbook.mdreferences/auth-and-session.mdreferences/item-operations-and-filtering.md- Official CLI docs: https://bitwarden.com/help/cli/
- Source and issues: https://github.com/bitwarden/cli