Menü
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in, and reading/injecting secrets for commands.
| name | 1password |
| description | Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in, and reading/injecting secrets for commands. |
| version | 1.0.0 |
| author | arceus77-7, enhanced by Hermes Agent |
| license | MIT |
| platforms | ["linux","macos","windows"] |
| metadata | {"hermes":{"tags":["security","secrets","1password","op","cli"],"category":"security"}} |
| setup | {"help":"Create a service account at https://my.1password.com → Settings → Service Accounts","collect_secrets":[{"env_var":"OP_SERVICE_ACCOUNT_TOKEN","prompt":"1Password Service Account Token","provider_url":"https://developer.1password.com/docs/service-accounts/","secret":true}]} |
Use this skill when the user wants secrets managed through 1Password instead of plaintext env vars or files.
op) installedOP_SERVICE_ACCOUNT_TOKEN), or Connect servertmux available for stable authenticated sessions during Hermes terminal calls (desktop app flow only)op signinop://Vault/Item/fieldop injectop runSet OP_SERVICE_ACCOUNT_TOKEN in ~/.hermes/.env (the skill will prompt for this on first load).
No desktop app needed. Supports op read, op inject, op run.
export OP_SERVICE_ACCOUNT_TOKEN="your-token-here"
op whoami # verify — should show Type: SERVICE_ACCOUNT
op signin and approve the biometric promptexport OP_CONNECT_HOST="http://localhost:8080"
export OP_CONNECT_TOKEN="your-connect-token"
# macOS
brew install 1password-cli
# Linux (official package/install docs)
# See references/get-started.md for distro-specific links.
# Windows (winget)
winget install AgileBits.1Password.CLI
op --version
Hermes terminal commands are non-interactive by default and can lose auth context between calls.
For reliable op use with desktop app integration, run sign-in and secret operations inside a dedicated tmux session.
Note: This is NOT needed when using OP_SERVICE_ACCOUNT_TOKEN — the token persists across terminal calls automatically.
SOCKET_DIR="${TMPDIR:-/tmp}/hermes-tmux-sockets"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/hermes-op.sock"
SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"
tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
# Sign in (approve in desktop app when prompted)
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "eval \"\$(op signin --account my.1password.com)\"" Enter
# Verify auth
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter
# Example read
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op read 'op://Private/Npmjs/one-time password?attribute=otp'" Enter
# Capture output when needed
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200
# Cleanup
tmux -S "$SOCKET" kill-session -t "$SESSION"
op read "op://app-prod/db/password"
op read "op://app-prod/npm/one-time password?attribute=otp"
echo "db_password: {{ op://app-prod/db/password }}" | op inject
export DB_PASSWORD="op://app-prod/db/password"
op run -- sh -c '[ -n "$DB_PASSWORD" ] && echo "DB_PASSWORD is set" || echo "DB_PASSWORD missing"'
op run / op inject instead of writing secrets into files.op signin again in the same tmux session.For non-interactive use, authenticate with OP_SERVICE_ACCOUNT_TOKEN and avoid interactive op signin.
Service accounts require CLI v2.18.0+.
references/get-started.mdreferences/cli-examples.mdJoin a Google Meet call, transcribe live captions, optionally speak in realtime, and do the followup work afterwards. Use when the user asks the agent to sit in on a meeting, take notes, summarize, respond in-call, or action items from it.
Parallel 3-agent cleanup of recent code changes.
Delegate coding to OpenAI Codex CLI (features, PRs).
Gmail, Calendar, Drive, Docs, Sheets via gws CLI or Python.
Configure, extend, or contribute to Hermes Agent.
Modify, debug, or extend the s6-overlay supervision tree inside the Hermes Agent Docker image — adding new services, debugging profile gateways, understanding the Architecture B main-program pattern.