Name: 1password
Author: openclaw

name	1password
description	Set up and use 1Password CLI for sign-in, desktop integration, and reading or injecting secrets.
homepage	https://developer.1password.com/docs/cli/get-started/
metadata	{"openclaw":{"emoji":"🔐","requires":{"bins":["op"]},"install":[{"id":"brew","kind":"brew","formula":"1password-cli","bins":["op"],"label":"Install 1Password CLI (brew)"}]}}

1Password CLI

Follow the official CLI get-started steps. Don't guess install commands.

References

references/get-started.md (install + app integration + sign-in flow)
references/cli-examples.md (real op examples)

Workflow

Check OS + shell.
Verify CLI present: op --version.
Confirm desktop app integration is enabled (per get-started) and the app is unlocked.
REQUIRED: create a fresh tmux session for all op commands (no direct op calls outside tmux).
Sign in / authorize inside tmux: op signin (expect app prompt).
Verify access inside tmux: op whoami (must succeed before any secret read).
If multiple accounts: use --account or OP_ACCOUNT.

REQUIRED tmux session (tmux)

The shell tool uses a fresh TTY per command. To avoid re-prompts and failures, always run op inside a dedicated tmux session with a fresh socket/session name.

Example (see tmux skill for socket conventions, do not reuse old session names):

SOCKET_DIR="${OPENCLAW_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/openclaw-tmux-sockets}"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/openclaw-op.sock"
SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"

tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op signin --account my.1password.com" Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op vault list" Enter
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200
tmux -S "$SOCKET" kill-session -t "$SESSION"

Guardrails

Never paste secrets into logs, chat, or code.
Prefer op run / op inject over writing secrets to disk.
If sign-in without app integration is needed, use op account add.
If a command returns "account is not signed in", re-run op signin inside tmux and authorize in the app.
Do not run op outside tmux; stop and ask if tmux is unavailable.

1Password CLI

Follow the official CLI get-started steps. Don't guess install commands.

References

references/get-started.md (install + app integration + sign-in flow)

references/cli-examples.md (real op examples)

Workflow

Check OS + shell.

Verify CLI present: op --version.

Confirm desktop app integration is enabled (per get-started) and the app is unlocked.

REQUIRED: create a fresh tmux session for all op commands (no direct op calls outside tmux).

Verify access inside tmux: op whoami (must succeed before any secret read).

If multiple accounts: use --account or OP_ACCOUNT.

REQUIRED tmux session (tmux)

The shell tool uses a fresh TTY per command. To avoid re-prompts and failures, always run op inside a dedicated tmux session with a fresh socket/session name.

Example (see tmux skill for socket conventions, do not reuse old session names):

SOCKET_DIR="${OPENCLAW_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/openclaw-tmux-sockets}" mkdir -p "$SOCKET_DIR" SOCKET="$SOCKET_DIR/openclaw-op.sock" SESSION="op-auth-$(date +%Y%m%d-%H%M%S)" tmux -S "$SOCKET" new -d -s "$SESSION" -n shell tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op signin --account my.1password.com" Enter tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op vault list" Enter tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200 tmux -S "$SOCKET" kill-session -t "$SESSION"

Guardrails

Never paste secrets into logs, chat, or code.

Prefer op run / op inject over writing secrets to disk.

If sign-in without app integration is needed, use op account add.

If a command returns "account is not signed in", re-run op signin inside tmux and authorize in the app.

Do not run op outside tmux; stop and ask if tmux is unavailable.