aussiegingersnap/secrets-1password
skills/secrets-1password/SKILL.md
1Password Developer CLI skill for secure secrets management. This skill should be used when creating, reading, updating, or deleting secrets in 1Password vaults, injecting secrets into script execution, or setting up 1Password CLI authentication.
$ install --global
skillsauthnpx skillsauth add aussiegingersnap/cursor-skills secrets-1passwordInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 10:46 AM28.8s9 files scanned
SKILL.md
- name:
- secrets-1password
- description:
- 1Password Developer CLI skill for secure secrets management. This skill should be used when creating, reading, updating, or deleting secrets in 1Password vaults, injecting secrets into script execution, or setting up 1Password CLI authentication.
1Password Developer CLI Skill
This skill provides workflows and helper scripts for managing secrets through the 1Password Developer CLI (op).
Quick Start Onboarding
Step 1: Install 1Password CLI
macOS (Homebrew):
brew install --cask 1password-cli
macOS (Direct Download):
curl -sS https://downloads.1password.com/mac/op-arm64/pkg/op_darwin_arm64_v2.30.0.pkg -o op.pkg
sudo installer -pkg op.pkg -target /
rm op.pkg
Linux:
curl -sS https://downloads.1password.com/linux/op-arm64-v2.30.0.zip -o op.zip
unzip -d op op.zip
sudo mv op/op /usr/local/bin/
rm -rf op op.zip
Verify installation:
op --version
Step 2: Authenticate
Interactive Login (Personal/Team Account):
op account add
op signin
Service Account (Automation):
export OP_SERVICE_ACCOUNT_TOKEN="your-service-account-token"
To create a service account:
- Go to 1Password.com → Settings → Developer → Service Accounts
- Create new service account with appropriate vault access
- Save the token securely
Verify authentication:
op account list
Step 3: Verify Setup
Run the check script to confirm everything is working:
python3 scripts/op_check.py
Expected output:
✅ 1Password CLI installed: v2.30.0
✅ Authenticated as: [email protected]
✅ Vaults accessible: 3
Core Operations
List Vaults and Items
# List all accessible vaults
python3 scripts/op_list.py --vaults
# List items in a vault
python3 scripts/op_list.py --items --vault "Development"
# List items with category filter
python3 scripts/op_list.py --items --vault "Development" --category login
Create Secrets
# Create a password/credential
python3 scripts/op_create.py \
--vault "Development" \
--title "API Key - OpenAI" \
--category password \
--password "sk-abc123..."
# Create a login with username/password
python3 scripts/op_create.py \
--vault "Development" \
--title "GitHub Account" \
--category login \
--username "myuser" \
--password "mypassword" \
--url "https://github.com"
# Create with custom fields
python3 scripts/op_create.py \
--vault "Development" \
--title "Database Credentials" \
--category password \
--field "host=db.example.com" \
--field "port=5432" \
--field "database=production"
Read Secrets
# Get full item as JSON
python3 scripts/op_read.py --vault "Development" --item "API Key - OpenAI"
# Get specific field value only
python3 scripts/op_read.py --vault "Development" --item "API Key - OpenAI" --field password
# Get item by ID
python3 scripts/op_read.py --id "abc123xyz"
Update Secrets
# Update password field
python3 scripts/op_update.py \
--vault "Development" \
--item "API Key - OpenAI" \
--password "sk-new-key..."
# Update custom field
python3 scripts/op_update.py \
--vault "Development" \
--item "Database Credentials" \
--field "host=new-db.example.com"
# Add new field to existing item
python3 scripts/op_update.py \
--vault "Development" \
--item "Database Credentials" \
--field "replica_host=replica.example.com"
Delete Secrets
# Delete item (moves to trash)
python3 scripts/op_delete.py --vault "Development" --item "Old API Key"
# Delete permanently (requires --force)
python3 scripts/op_delete.py --vault "Development" --item "Old API Key" --force
# Delete by ID
python3 scripts/op_delete.py --id "abc123xyz"
Run Commands with Injected Secrets
The most powerful feature: inject secrets into any command without exposing them in plaintext.
# Run command with secrets from .env template
python3 scripts/op_run.py --env-file .env.tpl -- npm start
# Run with inline secret reference
python3 scripts/op_run.py \
--secret "API_KEY=op://Development/OpenAI/password" \
-- curl -H "Authorization: Bearer \$API_KEY" https://api.example.com
# Multiple secrets
python3 scripts/op_run.py \
--secret "DB_HOST=op://Development/Database/host" \
--secret "DB_PASS=op://Development/Database/password" \
-- python migrate.py
.env.tpl template format:
DATABASE_URL=op://Development/Database/url
API_KEY=op://Development/OpenAI/password
SECRET_KEY=op://Development/App/secret
Secret Reference Syntax
1Password uses URI-style references to identify secrets:
op://vault-name/item-name/field-name
Examples:
op://Development/OpenAI API Key/password
op://Production/Database/username
op://Shared/AWS/access-key-id
op://Personal/GitHub Token/credential
Field names for common categories:
| Category | Common Fields |
|----------|---------------|
| Login | username, password, url |
| Password | password |
| API Credential | credential, username |
| Database | username, password, hostname, port, database |
| SSH Key | private_key, public_key |
Security Best Practices
- Never log secrets - Scripts output metadata only, never secret values directly
- Use service accounts - For CI/CD and automation, create dedicated service accounts with minimal vault access
- Prefer
op run- Inject secrets at runtime rather than exporting to environment - Rotate regularly - Use 1Password's built-in rotation features for credentials
- Audit access - Review service account usage in 1Password admin console
Item Categories
| Category | Use Case |
|----------|----------|
| login | Website/service credentials with username, password, URL |
| password | Simple password or API key |
| secure-note | Text notes, configuration snippets |
| credit-card | Payment cards |
| identity | Personal information |
| document | File attachments |
| database | Database connection credentials |
| api-credential | API keys and tokens |
| ssh-key | SSH key pairs |
Troubleshooting
"not signed in"
# Re-authenticate
op signin
# Or check service account token
echo $OP_SERVICE_ACCOUNT_TOKEN
"vault not found"
# List available vaults
op vault list
# Check vault name (case-sensitive)
op vault get "Vault Name"
"item not found"
# Search for item
op item list --vault "Vault" | grep -i "search term"
# List all items in vault
op item list --vault "Vault"
Permission denied
Service accounts need explicit vault access:
- Go to 1Password.com → Settings → Developer → Service Accounts
- Edit the service account
- Add vault access with appropriate permissions (read/write)
Script Reference
All scripts are in the scripts/ directory and output JSON by default.
| Script | Purpose |
|--------|---------|
| op_check.py | Verify CLI installation and authentication |
| op_list.py | List vaults and items |
| op_create.py | Create new secrets |
| op_read.py | Read/retrieve secrets |
| op_update.py | Update existing secrets |
| op_delete.py | Delete items |
| op_run.py | Execute commands with injected secrets |
For detailed CLI command syntax, see references/cli_reference.md.
Related Skills
aussiegingersnap/skills/versioning
tools
VerifiedTrustedCommunity
# Versioning Skill Semantic versioning automation based on conventional commits. Automatically manages version bumps, changelogs, and git tags using `standard-version`. ## When to Use - Before releasing a new version - When preparing a deployment - To generate/update CHANGELOG.md - When the user asks about version management - Setting up versioning for a new project ## Prerequisites - Conventional commits enforced (recommended: lefthook) - Node.js project with package.json ## Setup (One-Ti
3SKILL.mdUpdated Apr 3, 2026
aussiegingersnap/ui-themes
tools
VerifiedTrustedCommunity
Theme generation with tweakcn for shadcn/ui and Magic UI animations. Use when setting up project themes, customizing color schemes, adding dark mode, or integrating animated components.
3SKILL.mdUpdated Apr 3, 2026
aussiegingersnap/ui-shadcn-studio
tools
VerifiedTrustedCommunity
shadcn/studio component library with MCP integration, theme generation, and block patterns. This skill should be used when building UI with shadcn components, selecting dashboard layouts, or generating landing pages. Canonical source for all shadcn-based work.
3SKILL.mdUpdated Apr 3, 2026
aussiegingersnap/ui-principles
development
VerifiedTrustedCommunity
Enforce a precise, minimal design system inspired by Linear, Notion, and Stripe. Use this skill when building dashboards, admin interfaces, or any UI that needs Jony Ive-level precision - clean, modern, minimalist with taste. Every pixel matters.
3SKILL.mdUpdated Apr 3, 2026