// Use when working with the 1Password CLI (`op` command) for secrets management, retrieving API keys, injecting secrets into development environments, or any task involving 1Password vault operations. Triggers on: "1password", "op command", "secrets management", "api keys from vault", "op run", "op read", "service account token".
| name | 1password-cli |
| description | Use when working with the 1Password CLI (`op` command) for secrets management, retrieving API keys, injecting secrets into development environments, or any task involving 1Password vault operations. Triggers on: "1password", "op command", "secrets management", "api keys from vault", "op run", "op read", "service account token". |
Use this skill when working with the 1Password CLI (op command) for secrets management, retrieving API keys, or injecting secrets into development environments.
# macOS
brew install 1password-cli
# Verify installation
op --version
Enable biometric authentication (Touch ID/Windows Hello) through the 1Password desktop app:
op command - you'll be prompted to authenticate# This will prompt for biometric auth
op vault list
For automated environments without user interaction:
# Set the service account token as environment variable
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
# Now commands work without prompts
op vault list
Create service accounts in 1Password.com > Developer Tools > Service Accounts.
# Sign in and create a session
eval $(op signin)
# Or for a specific account
eval $(op signin --account my-team.1password.com)
Secret references use the URI format: op://vault/item/[section/]field
op://vault-name/item-name/field-name # Simple field
op://vault-name/item-name/section/field-name # Field in a section
op://Private/GitHub/password # Example: GitHub password
op://dev/Stripe/publishable-key # Example: Stripe key
# Get reference for a specific field
op item get "GitHub" --vault Private --fields password --format json | jq -r '.reference'
# Output: op://Private/GitHub/password
# Using secret reference
op read "op://vault-name/item-name/field-name"
# Examples
op read "op://Private/API Keys/openai-key"
op read "op://dev/Database/password"
# Get full item as JSON
op item get "item-name" --vault "vault-name" --format json
# Get specific field
op item get "GitHub" --fields password
# Get multiple fields
op item get "Database" --fields username,password
# List all vaults
op vault list
# List items in a vault
op item list --vault "Private"
# Search for items
op item list --tags api-key
op runThe most secure way to use secrets - they exist only during command execution:
# Set secret reference in environment
export DB_PASSWORD="op://app-prod/database/password"
# Run command with secrets injected
op run -- ./my-script.sh
# Secrets are automatically masked in output
op run -- printenv DB_PASSWORD # Shows: <concealed by 1Password>
# Disable masking if needed
op run --no-masking -- printenv DB_PASSWORD
Create a .env file with secret references:
# .env file
DATABASE_URL="op://dev/postgres/connection-string"
API_KEY="op://dev/my-api/key"
SECRET_TOKEN="op://dev/app/secret-token"
Run with the env file:
op run --env-file=.env -- npm start
op run --env-file=.env -- python app.py
Use variables to switch between environments:
# .env file with variable
DB_PASSWORD="op://$APP_ENV/database/password"
# Switch environments
APP_ENV=dev op run --env-file=.env -- ./start.sh
APP_ENV=prod op run --env-file=.env -- ./start.sh
# Get a single API key
OPENAI_KEY=$(op read "op://Private/OpenAI/api-key")
# Use in a command
curl -H "Authorization: Bearer $(op read 'op://Private/OpenAI/api-key')" ...
# Create .env.local with secret references
cat > .env.local << 'EOF'
SUPABASE_URL="op://dev/Supabase/url"
SUPABASE_KEY="op://dev/Supabase/service-role-key"
ANTHROPIC_API_KEY="op://dev/Anthropic/api-key"
EOF
# Start development server with secrets
op run --env-file=.env.local -- npm run dev
# Export secrets for current shell session
export GITHUB_TOKEN=$(op read "op://Private/GitHub/token")
export NPM_TOKEN=$(op read "op://Private/npm/token")
#!/bin/bash
# deploy.sh - uses 1Password for secrets
# Ensure we have access
op whoami > /dev/null 2>&1 || eval $(op signin)
# Get deployment credentials
DEPLOY_KEY=$(op read "op://prod/deploy/ssh-key")
API_TOKEN=$(op read "op://prod/api/token")
# Use in deployment...
# Create API key item
op item create \
--category "API Credential" \
--title "My API Key" \
--vault "dev" \
--fields "api-key=sk-abc123"
# Create login item
op item create \
--category Login \
--title "Service Account" \
--vault Private \
--fields "username=admin,password=secret123"
# Update a field
op item edit "My API Key" --vault dev "api-key=sk-newkey456"
op item delete "Old API Key" --vault dev
Use Service Accounts for CI/CD: Never use personal credentials in automated environments
Limit Vault Access: Service accounts should only access vaults they need
Use op run Over Export: Secrets only exist during command execution, not in shell history
Avoid Logging Secrets: op run masks secrets by default - keep it enabled
Rotate Service Account Tokens: Regularly rotate tokens used in CI/CD pipelines
Use Secret References in Code: Store references, not secrets, in configuration files
Audit Access: Review service account usage reports in 1Password.com
# Check current session
op whoami
# Sign in again
eval $(op signin)
# Or set service account token
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
# List available vaults to verify access
op vault list
# Search for the item
op item list --vault "vault-name" | grep "item-name"
| Command | Description |
|---|---|
op vault list | List all accessible vaults |
op item list --vault X | List items in vault X |
op item get "Name" | Get item details |
op read "op://..." | Read a secret value |
op run -- cmd | Run command with secrets |
op run --env-file=.env -- cmd | Run with .env secrets |
op whoami | Check current session |
op signin | Sign in interactively |
Builds simple Three.js web apps with scene setup, lighting, geometry, materials, animation, and responsive rendering. Use when creating or prototyping 3D web scenes with modern Three.js (r150+).
Comprehensive guide for developing WebGPU-enabled Three.js applications using TSL (Three.js Shading Language). Covers WebGPU renderer setup, node materials, compute shaders, post-processing, and WGSL integration. Use when working with Three.js WebGPU, TSL shaders, or GPU compute pipelines.
Create algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use when users request generative art, algorithmic art, flow fields, or particle systems. Create original works rather than copying existing artists.
Use when starting creative work (features, components, functionality, or behavior changes) to clarify user intent, requirements, and design before implementation.
Helps users discover and install agent skills. Use when they ask "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities with installable skills.
A set of resources for writing internal communications in company-preferred formats. Use when asked to draft status reports, leadership updates, 3P updates, company newsletters, FAQs, incident reports, or project updates.