1Password — Set up and use 1Password CLI (op)
1Password
Section titled “1Password”Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in, and reading/injecting secrets for commands.
Skill metadata
Section titled “Skill metadata”| Source | Optional — install with hermes skills install official/security/1password |
| Path | optional-skills/security/1password |
| Version | 1.0.0 |
| Author | arceus77-7, enhanced by Hermes Agent |
| License | MIT |
| Tags | security, secrets, 1password, op, cli |
Reference: full SKILL.md
Section titled “Reference: full SKILL.md”The following is the complete skill definition that Hermes loads when this skill is triggered. This is what the agent sees as instructions when the skill is active.
1Password CLI
Section titled “1Password CLI”Use this skill when the user wants secrets managed through 1Password instead of plaintext env vars or files.
Requirements
Section titled “Requirements”- 1Password account
- 1Password CLI (
op) installed - One of: desktop app integration, service account token (
OP_SERVICE_ACCOUNT_TOKEN), or Connect server tmuxavailable for stable authenticated sessions during Hermes terminal calls (desktop app flow only)
When to Use
Section titled “When to Use”- Install or configure 1Password CLI
- Sign in with
op signin - Read secret references like
op://Vault/Item/field - Inject secrets into config/templates using
op inject - Run commands with secret env vars via
op run
Authentication Methods
Section titled “Authentication Methods”Service Account (recommended for Hermes)
Section titled “Service Account (recommended for Hermes)”Set OP_SERVICE_ACCOUNT_TOKEN in ~/.hermes/.env (the skill will prompt for this on first load).
No desktop app needed. Supports op read, op inject, op run.
export OP_SERVICE_ACCOUNT_TOKEN="your-token-here"op whoami # verify — should show Type: SERVICE_ACCOUNTDesktop App Integration (interactive)
Section titled “Desktop App Integration (interactive)”- Enable in 1Password desktop app: Settings → Developer → Integrate with 1Password CLI
- Ensure app is unlocked
- Run
op signinand approve the biometric prompt
Connect Server (self-hosted)
Section titled “Connect Server (self-hosted)”export OP_CONNECT_HOST="http://localhost:8080"export OP_CONNECT_TOKEN="your-connect-token"- Install CLI:
# macOSbrew install 1password-cli
# Linux (official package/install docs)# See references/get-started.md for distro-specific links.
# Windows (winget)winget install AgileBits.1Password.CLI- Verify:
op --version- Choose an auth method above and configure it.
Hermes Execution Pattern (desktop app flow)
Section titled “Hermes Execution Pattern (desktop app flow)”Hermes terminal commands are non-interactive by default and can lose auth context between calls.
For reliable op use with desktop app integration, run sign-in and secret operations inside a dedicated tmux session.
Note: This is NOT needed when using OP_SERVICE_ACCOUNT_TOKEN — the token persists across terminal calls automatically.
SOCKET_DIR="${TMPDIR:-/tmp}/hermes-tmux-sockets"mkdir -p "$SOCKET_DIR"SOCKET="$SOCKET_DIR/hermes-op.sock"SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"
tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
# Sign in (approve in desktop app when prompted)tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "eval \"\$(op signin --account my.1password.com)\"" Enter
# Verify authtmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter
# Example readtmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op read 'op://Private/Npmjs/one-time password?attribute=otp'" Enter
# Capture output when neededtmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200
# Cleanuptmux -S "$SOCKET" kill-session -t "$SESSION"Common Operations
Section titled “Common Operations”Read a secret
Section titled “Read a secret”op read "op://app-prod/db/password"Get OTP
Section titled “Get OTP”op read "op://app-prod/npm/one-time password?attribute=otp"Inject into template
Section titled “Inject into template”echo "db_password: {{ op://app-prod/db/password }}" | op injectRun a command with secret env var
Section titled “Run a command with secret env var”export DB_PASSWORD="op://app-prod/db/password"op run -- sh -c '[ -n "$DB_PASSWORD" ] && echo "DB_PASSWORD is set" || echo "DB_PASSWORD missing"'Guardrails
Section titled “Guardrails”- Never print raw secrets back to user unless they explicitly request the value.
- Prefer
op run/op injectinstead of writing secrets into files. - If command fails with “account is not signed in”, run
op signinagain in the same tmux session. - If desktop app integration is unavailable (headless/CI), use service account token flow.
CI / Headless note
Section titled “CI / Headless note”For non-interactive use, authenticate with OP_SERVICE_ACCOUNT_TOKEN and avoid interactive op signin.
Service accounts require CLI v2.18.0+.
References
Section titled “References”references/get-started.mdreferences/cli-examples.md- https://developer.1password.com/docs/cli/
- https://developer.1password.com/docs/service-accounts/