From 1password
Use the 1Password CLI (op) for vault items, secret references, op run, op inject, Environments, service accounts, and shell plugins. Use when the user needs to read/manage vault items, load secrets into scripts, wrap MCP configs with op run, authenticate third-party CLIs with biometrics, or when the 1Password MCP cannot do the job. Triggers on "op run", "op read", "secret reference", "op://", "1Password CLI", "load secrets from 1Password", "inject secrets", "shell plugin", or vault/item operations. Do NOT paste secrets into code — use secret references.
How this skill is triggered — by the user, by Claude, or both
Slash command
/1password:1password-cliThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
| Task | Use |
| Task | Use |
|---|---|
| Manage Environments (create, mount .env, list var names) | MCP (1password-mcp skill) |
| Read vault items, secret references | CLI |
op run / op inject in scripts | CLI |
| Wrap MCP server configs without plaintext tokens | CLI |
| Shell plugin auth (OpenAI CLI, Claude Code, etc.) | CLI |
| Service account automation | CLI |
op --version # must be installed
op whoami # must be signed in
Install: https://1password.com/downloads/command-line
Sign in with desktop app integration (biometrics):
op signin
For headless/CI, use a service account token:
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
Format: op://vault-name/item-name/[section/]field
# Resolve a secret at runtime (never commit the output)
op read "op://Work/GitHub/password"
# Run a command with secrets as env vars
op run --env-file=.env.tpl -- npm start
# Inject secrets into a config template
op inject -i config.tpl -o config.yml
op vault list
op item list --vault Private
op item get "GitHub" --fields label=username,label=password
op item get Netflix --format json | jq .id
op environment list
op environment variable list <environment-id>
Prefer MCP for Environment management when available.
op service-account create "my-ci-bot" --vault "CI Secrets:read_items"
Store token in CI secrets — never in source code.
Replace hardcoded tokens in mcp.json:
{
"mcpServers": {
"github": {
"command": "op",
"args": [
"run",
"--environment",
"<environmentID>",
"--",
"npx",
"-y",
"@modelcontextprotocol/server-github"
]
}
}
}
op run injects variables from the 1Password Environment into the child process. No env block with plaintext secrets needed.
Use full path to op if the MCP host can't find it on PATH:
which op # e.g. /usr/local/bin/op or /opt/homebrew/bin/op
See /1password-inject command for guided setup.
Authenticate third-party CLIs with biometrics via the 1Password desktop app:
op plugin list
op plugin init openai
op plugin init claude
Supported plugins include AWS, GitHub, GitLab, OpenAI CLI, Claude Code CLI, Terraform, ngrok, and more.
Per-directory credential switching: https://www.1password.dev/cli/shell-plugins/environments
Details: references/shell-plugins.md
op://...) in templates, not plaintext.env.tpl (with references) to git; never commit .env with real valuesop ... --format json + jq for parsingFull reference: references/commands.md and https://www.1password.dev/cli/reference
Quick structure: op [noun] [verb] [flags]
Key nouns: item, vault, read, run, inject, environment, plugin, service-account, signin, whoami
npx claudepluginhub awfixers-stuff/plugins --plugin 1passwordSets up isolated workspaces using native worktree tools or git worktree fallback. Use before starting feature work to protect the current branch.