From 1password
Manage 1Password Developer Environments via the bundled local MCP server. Use proactively whenever the user needs project secrets, .env files, API keys, environment variables, or secure credential management — without exposing secret values to the agent. Triggers on "1Password Environment", "create .env from 1Password", "mount secrets", "list environment variables", "add API key to 1Password", "secure my env", or any secrets/env work where 1Password is available. Prefer this MCP over asking the user to paste secrets. Do NOT use for unrelated vault password lookups (use 1password-cli instead).
How this skill is triggered — by the user, by Claude, or both
Slash command
/1password:1password-mcpThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
The official 1Password MCP server **never returns secret values** to the agent. It manages Environments, variable names, and `.env` mounts. Secrets stay in 1Password and are injected at runtime into authorized processes only.
The official 1Password MCP server never returns secret values to the agent. It manages Environments, variable names, and .env mounts. Secrets stay in 1Password and are injected at runtime into authorized processes only.
Never:
.env file to verify it — use list_local_env_files insteadWhen this plugin is installed, prefer the bundled 1password MCP tools over CLI for Environments work. The CLI skill is the fallback for vault items, op run, and operations MCP cannot do.
Run ${CLAUDE_PLUGIN_ROOT}/scripts/status.sh if connection fails. Requires:
The user must approve each MCP action in the 1Password desktop app.
| Tool | Purpose |
|---|---|
authenticate | Get accountId — call first every turn unless you already have it |
list_environments | List Developer Environments (names + IDs) |
create_environment | Create a new Environment |
rename_environment | Rename an Environment |
list_variables | List variable names only (no values) |
append_variables | Add or update variables (user provides values via 1Password UI) |
create_local_env_file | Mount Environment as local .env (macOS/Linux) |
list_local_env_files | List existing .env mounts for an Environment |
Parameter naming: Responses may use account_id / environment_id; tool calls use camelCase: accountId, environmentId.
For detailed flows, see references/mcp-tools.md.
authenticate → store accountIdlist_environments with accountIdenvironmentId.envlist_local_env_files to check for existing mount{workspace_root}/.envcreate_local_env_file with accountId, environmentId, environmentName, mountPathlist_variables first to see existing namesappend_variables — use concealed: true for secrets, false for URLs/flagsauthenticate → create_environment with project name.env and add common variable placeholders (API_KEY, DATABASE_URL, etc.)op item get, secret references op://...)op run --environment| Failure | Action |
|---|---|
| MCP server unavailable | Direct user to enable Labs MCP + Developer integration; run /1password-setup |
| CLI not signed in | Run /1password-login — user runs op signin and approves in desktop app |
| Auth denied | User must unlock 1Password and approve the prompt; retry /1password-login |
create_local_env_file fails | Confirm platform support; check absolute path |
| Tool schema differs | Use the schema exposed in the current MCP session exactly |
npx claudepluginhub awfixers-stuff/plugins --plugin 1passwordSets up isolated workspaces using native worktree tools or git worktree fallback. Use before starting feature work to protect the current branch.