🏠 ГлавнаяUser Guidesecurity 1password

{/ This page is auto-generated from the skill's SKILL.md by website/scripts/generate-skill-docs.py. Edit the source SKILL.md, not this page. /}

1Password

Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in, and reading/injecting secrets for commands.

Skill metadata
Source Optional — install with hermes skills install official/security/1password
Path optional-skills/security/1password
Version 1.0.0
Author arceus77-7, enhanced by Hermes Agent
License MIT
Tags security, secrets, 1password, op, cli

Reference: full SKILL.md

ℹ️ Info

The following is the complete skill definition that Hermes loads when this skill is triggered. This is what the agent sees as instructions when the skill is active.

1Password CLI

Use this skill when the user wants secrets managed through 1Password instead of plaintext env vars or files.

Requirements

When to Use

Authentication Methods

Set OP_SERVICE_ACCOUNT_TOKEN in ~/.hermes/.env (the skill will prompt for this on first load). No desktop app needed. Supports op read, op inject, op run.

export OP_SERVICE_ACCOUNT_TOKEN="your-token-here"
op whoami  # verify — should show Type: SERVICE_ACCOUNT

Desktop App Integration (interactive)

  1. Enable in 1Password desktop app: Settings → Developer → Integrate with 1Password CLI
  2. Ensure app is unlocked
  3. Run op signin and approve the biometric prompt

Connect Server (self-hosted)

export OP_CONNECT_HOST="http://localhost:8080"
export OP_CONNECT_TOKEN="your-connect-token"

Setup

  1. Install CLI:
# macOS
brew install 1password-cli

# Linux (official package/install docs)
# See references/get-started.md for distro-specific links.

# Windows (winget)
winget install AgileBits.1Password.CLI
  1. Verify:
op --version
  1. Choose an auth method above and configure it.

Hermes Execution Pattern (desktop app flow)

Hermes terminal commands are non-interactive by default and can lose auth context between calls. For reliable op use with desktop app integration, run sign-in and secret operations inside a dedicated tmux session.

Note: This is NOT needed when using OP_SERVICE_ACCOUNT_TOKEN — the token persists across terminal calls automatically.

SOCKET_DIR="${TMPDIR:-/tmp}/hermes-tmux-sockets"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/hermes-op.sock"
SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"

tmux -S "$SOCKET" new -d -s "$SESSION" -n shell

# Sign in (approve in desktop app when prompted)
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "eval \"\$(op signin --account my.1password.com)\"" Enter

# Verify auth
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter

# Example read
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op read 'op://Private/Npmjs/one-time password?attribute=otp'" Enter

# Capture output when needed
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200

# Cleanup
tmux -S "$SOCKET" kill-session -t "$SESSION"

Common Operations

Read a secret

op read "op://app-prod/db/password"

Get OTP

op read "op://app-prod/npm/one-time password?attribute=otp"

Inject into template

echo "db_password: {{ op://app-prod/db/password }}" | op inject

Run a command with secret env var

export DB_PASSWORD="op://app-prod/db/password"
op run -- sh -c '[ -n "$DB_PASSWORD" ] && echo "DB_PASSWORD is set" || echo "DB_PASSWORD missing"'

Guardrails

CI / Headless note

For non-interactive use, authenticate with OP_SERVICE_ACCOUNT_TOKEN and avoid interactive op signin. Service accounts require CLI v2.18.0+.

References