op-cli_skill
- TypeScript
36
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill 0xbigboss/claude-code --skill op-cli- SKILL.md3.8 KB
Overview
This skill provides secure 1Password CLI (op) patterns for reading secrets, discovering vaults and items, and piping credentials to other tools without exposing secret values. It focuses on safe retrieval, discovery workflows, piping into consumers (wrangler, kubectl, subshells), and verification techniques that avoid printing secrets to stdout. Use it to integrate 1Password into automation while maintaining secrecy and auditability.
How this skill works
The skill teaches using op item get with item IDs and vaults, piping revealed values directly into consuming commands, and using safe verification commands like wc -c or cmp that only return exit status or counts. It shows discovery steps for finding item IDs, handling item titles that contain slashes (which break op:// URIs), and common piping patterns for wrangler, kubectl, and environment-variable use in subshells. Troubleshooting entries map common op errors to concrete fixes.
When to use it
- Reading secrets from 1Password for deployment or automation without exposing values.
- Rotating credentials and piping new secrets into service CLIs (wrangler, kubectl, etc.).
- Discovering vault items when you only know a path-like title or need an item ID.
- Verifying secret presence or equality without printing secret contents.
- Scripting CI/CD tasks that consume 1Password secrets securely.
Best practices
- Never print secret values in logs or terminal output; always pipe directly to the consumer.
- Prefer item IDs over op:// URIs when titles include slashes to avoid parsing errors.
- Use 2>/dev/null and wc -c or cmp to verify values without revealing them.
- Keep sessions fresh with eval "$(op signin)" but never echo or log the session token.
- Limit visibility by piping to stdin (e.g., kubectl --from-file=/dev/stdin) instead of writing files.
Example use cases
- Pipe a password into Cloudflare Workers: op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal | npx wrangler secret put NAME --env ENV
- Load a token into a subshell variable without printing: SECRET="$(op item get ITEM_ID --vault VAULT --fields label=TOKEN --reveal 2>/dev/null)"
- Discover an item ID when you only know the vault: op item list --vault VAULT_NAME then use the ID with op item get
- Check a secret is non-empty using character count: op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal 2>/dev/null | wc -c
FAQ
Item titles that include slashes break the op:// URI parser. Use the item ID with op item get and specify --vault instead of op:// paths.
How can I verify a secret exists without exposing it?
Pipe the revealed value to wc -c to check character count or use cmp -s on process substitutions to compare values; both avoid printing the secret.