Ejecuta cualquier Skill en Manus
con un clic

Ejecuta cualquier Skill en Manus con un clic

pass-cli

Retrieve credentials (passwords, API keys, tokens, SSH keys, secrets) from Proton Pass via the `pass-cli` agent CLI. Use whenever a task needs a login/secret to access a tool, website, database, or API — or when the user mentions Proton Pass, pass-cli, a vault, or "get the credentials/password/token for X". Covers session setup with a Personal Access Token, the mandatory access-reason for reading items, vault/item discovery, and auto-recovery from an expired session.

Ejecutar en Manus

Estrellas1

Forks0

Actualizado8 de junio de 2026, 06:06

Fuente

RB-chrismandich

RB-chrismandich/Manifest

Abrir repositorio de GitHub Ver repositorios del creador

Comando de instalación

Descarga

Ejecutar en Manus

SKILL.md

readonly

name

pass-cli

description

Retrieve Credentials with pass-cli (Proton Pass)

Fetch secrets on demand from Proton Pass using the official pass-cli. This skill is the procedure for authenticating an agent session and reading items/fields.

This skill is backed by the pass-cli binary. The canonical instructions can always be re-printed with pass-cli agent instructions.

Security rules (read first)

Authentication is the end user's step — not the agent's. Before doing anything else, run pass-cli info to check for a live session. If it's not authenticated, do not attempt login yourself: present the login steps (below) to the user, ask them to run them, and wait for confirmation that pass-cli info succeeds before proceeding. This keeps the PAT out of the agent/chat entirely.
The Personal Access Token (PAT) is supplied by the user at runtime. Never hardcode, invent, commit, or store a PAT in files, skills, or memory. If the user chooses to have the agent run login, pass the PAT only via the PROTON_PASS_PERSONAL_ACCESS_TOKEN environment variable on the login line.
Every read/write of an item requires a reason. Set PROTON_PASS_AGENT_REASON to a brief, honest description of why you need that item/field on the same command.
Don't echo secrets unnecessarily. Retrieve the specific field you need (--field <name>) and use it for the task; avoid printing full item contents or pasting secrets into logs/PRs/chat.
Use an isolated session directory so this agent's session can't collide with others.

When to use

A task requires logging into a tool/website/DB/API and the credential lives in Proton Pass.
The user says "get the password / API key / token for X" or references a vault/item.
A previously working pass-cli command starts failing with an auth error (re-auth).

Procedure

1. Confirm the CLI is installed

pass-cli --version

If missing, see https://protonpass.github.io/pass-cli/get-started/installation/ for platform install steps, then re-check.

2. Ensure an active, isolated session

First check whether a session already exists (exit 0 + account details means yes):

pass-cli info

If already authenticated, skip ahead to step 3.

If not authenticated, hand the login to the user. Present these steps and ask them to run them (so the PAT never passes through the agent or chat history), then wait for them to confirm pass-cli info returns success:

# 1) Isolate this session from other pass-cli sessions
export PROTON_PASS_SESSION_DIR="/tmp/pass-agent-<unique-name>"

# 2) Log in with your Personal Access Token
PROTON_PASS_PERSONAL_ACCESS_TOKEN="<your-PAT>" pass-cli login

# 3) Confirm
pass-cli info

Only run the login command yourself if the user has explicitly asked the agent to do so and has provided the PAT for that purpose — and even then, never store it.

3. Verify access to resources

pass-cli vault list --output json    # vaults the agent can access
pass-cli share list --output json    # vaults + directly-shared items granted

If you cannot see the expected vaults, stop and report the exact error output to the user rather than guessing.

4. Discover items

pass-cli item list --vault-name "<Name>" --output json   # items in one vault
pass-cli item list --output json                          # all accessible items

5. Read an item or a single field (REASON REQUIRED)

# Whole item
PROTON_PASS_AGENT_REASON="Brief why this item is accessed" pass-cli item view \
  --vault-name "Vault Name" --item-title "Item Title"

# Direct pass:// URI
PROTON_PASS_AGENT_REASON="..." pass-cli item view "pass://SHARE_ID/ITEM_ID"

# Just one field (preferred — least exposure)
PROTON_PASS_AGENT_REASON="..." pass-cli item view \
  --vault-name "Vault" --item-title "DB" --field password

Commands that require PROTON_PASS_AGENT_REASON: item view, item create* (e.g. item create login, item create ssh-key), item update, item trash, item untrash, vault update.

Session & connection health

pass-cli info    # account type + session details
pass-cli test    # verify connectivity to the Proton Pass API

Auto-recovery from a dropped session

Before any pass-cli command in a long task, re-check pass-cli info. If a command fails with an authentication error:

pass-cli logout --force # clear the stale session
Re-run the login from step 2 (PAT via env var)
pass-cli info # confirm logged in
Retry the original command

If any command fails, read the full output (error message, exit code, hints — auth failure, permission denied, invalid params) before retrying.

Quick reference

pass-cli agent instructions                            # re-print these instructions
pass-cli login                                         # authenticate with PAT from env
pass-cli logout [--force]                              # end session (force if logout errors)
pass-cli vault list --output json                      # list vaults
pass-cli share list --output json                      # list vaults + shared items
pass-cli item list --vault-name <NAME> --output json   # list items in a vault
PROTON_PASS_AGENT_REASON="..." pass-cli item view \
  --vault-name <VAULT> --item-title <TITLE> [--field <FIELD>]   # read item/field

Full docs: https://protonpass.github.io/pass-cli/

Más de este repositorio

mismo repositorio

spec-review

RB-chrismandich/Manifest

Cross-reference a project's spec / plan / tasks artifacts for internal consistency using an independent model (Gemini), and surface structured remediation guidance (Location / Gap / Recommended Direction / Reason Why). Analysis-only — never edits artifacts. Works with both speckit (spec.md/plan.md/tasks.md) and superpowers (design + plan-with-embedded-tasks) layouts. Auto-discovers artifacts, or pass explicit paths.

2026-06-091

health-check

RB-chrismandich/Manifest

Verify CLI tool availability, authentication status, config syntax, MCP connectivity, and symlink integrity for the Manifest environment.

2026-06-081

issue-triage

RB-chrismandich/Manifest

Comprehensive Linear issue audit: validate prioritization, identify duplicates and overlapping issues, detect stale/obsolete issues, produce clean actionable backlog

2026-06-081

skill-evolve

RB-chrismandich/Manifest

Turn SkillClaw's evolved skills into a reviewed PR into .skillshare/skills/. Dry-run by default (shows the diff table and makes no changes); --apply opens a single review PR with one commit per skill. Requires the SkillClaw daemon (enable via ./bootstrap.sh --enable-skillclaw). Never writes to the source of truth directly — every change goes through PR review.

2026-06-081

sync-configs

RB-chrismandich/Manifest

Verify cross-platform configuration consistency, check symlink integrity, and detect config drift between Claude, Cursor, Gemini, and Codex platforms.

2026-06-081

branch-clean

RB-chrismandich/Manifest

Identify and safely prune stale git branches — merged into the default branch, tracking a deleted remote ([gone]), or stale beyond a threshold. Dry-run by default, local-only by default (remote deletion is opt-in), and never touches protected or currently checked-out branches.

2026-06-031

name

pass-cli

description

Retrieve Credentials with pass-cli (Proton Pass)

Fetch secrets on demand from Proton Pass using the official pass-cli. This skill is the procedure for authenticating an agent session and reading items/fields.

This skill is backed by the pass-cli binary. The canonical instructions can always be re-printed with pass-cli agent instructions.

Security rules (read first)

Authentication is the end user's step — not the agent's. Before doing anything else, run pass-cli info to check for a live session. If it's not authenticated, do not attempt login yourself: present the login steps (below) to the user, ask them to run them, and wait for confirmation that pass-cli info succeeds before proceeding. This keeps the PAT out of the agent/chat entirely.
The Personal Access Token (PAT) is supplied by the user at runtime. Never hardcode, invent, commit, or store a PAT in files, skills, or memory. If the user chooses to have the agent run login, pass the PAT only via the PROTON_PASS_PERSONAL_ACCESS_TOKEN environment variable on the login line.
Every read/write of an item requires a reason. Set PROTON_PASS_AGENT_REASON to a brief, honest description of why you need that item/field on the same command.
Don't echo secrets unnecessarily. Retrieve the specific field you need (--field <name>) and use it for the task; avoid printing full item contents or pasting secrets into logs/PRs/chat.
Use an isolated session directory so this agent's session can't collide with others.

When to use

A task requires logging into a tool/website/DB/API and the credential lives in Proton Pass.
The user says "get the password / API key / token for X" or references a vault/item.
A previously working pass-cli command starts failing with an auth error (re-auth).

Procedure

1. Confirm the CLI is installed

pass-cli --version

If missing, see https://protonpass.github.io/pass-cli/get-started/installation/ for platform install steps, then re-check.

2. Ensure an active, isolated session

First check whether a session already exists (exit 0 + account details means yes):

pass-cli info

If already authenticated, skip ahead to step 3.

# 1) Isolate this session from other pass-cli sessions
export PROTON_PASS_SESSION_DIR="/tmp/pass-agent-<unique-name>"

# 2) Log in with your Personal Access Token
PROTON_PASS_PERSONAL_ACCESS_TOKEN="<your-PAT>" pass-cli login

# 3) Confirm
pass-cli info

Only run the login command yourself if the user has explicitly asked the agent to do so and has provided the PAT for that purpose — and even then, never store it.

3. Verify access to resources

pass-cli vault list --output json    # vaults the agent can access
pass-cli share list --output json    # vaults + directly-shared items granted

If you cannot see the expected vaults, stop and report the exact error output to the user rather than guessing.

4. Discover items

pass-cli item list --vault-name "<Name>" --output json   # items in one vault
pass-cli item list --output json                          # all accessible items

5. Read an item or a single field (REASON REQUIRED)

# Whole item
PROTON_PASS_AGENT_REASON="Brief why this item is accessed" pass-cli item view \
  --vault-name "Vault Name" --item-title "Item Title"

# Direct pass:// URI
PROTON_PASS_AGENT_REASON="..." pass-cli item view "pass://SHARE_ID/ITEM_ID"

# Just one field (preferred — least exposure)
PROTON_PASS_AGENT_REASON="..." pass-cli item view \
  --vault-name "Vault" --item-title "DB" --field password

Commands that require PROTON_PASS_AGENT_REASON: item view, item create* (e.g. item create login, item create ssh-key), item update, item trash, item untrash, vault update.

Session & connection health

pass-cli info    # account type + session details
pass-cli test    # verify connectivity to the Proton Pass API

Auto-recovery from a dropped session

Before any pass-cli command in a long task, re-check pass-cli info. If a command fails with an authentication error:

pass-cli logout --force # clear the stale session
Re-run the login from step 2 (PAT via env var)
pass-cli info # confirm logged in
Retry the original command

If any command fails, read the full output (error message, exit code, hints — auth failure, permission denied, invalid params) before retrying.

Quick reference

pass-cli agent instructions                            # re-print these instructions
pass-cli login                                         # authenticate with PAT from env
pass-cli logout [--force]                              # end session (force if logout errors)
pass-cli vault list --output json                      # list vaults
pass-cli share list --output json                      # list vaults + shared items
pass-cli item list --vault-name <NAME> --output json   # list items in a vault
PROTON_PASS_AGENT_REASON="..." pass-cli item view \
  --vault-name <VAULT> --item-title <TITLE> [--field <FIELD>]   # read item/field

Full docs: https://protonpass.github.io/pass-cli/