APEX/BrowserUse_and_ComputerUse_skills
5
0
Fork 0
Code Issues 6 Pull requests 1 Projects 1 Releases Packages Wiki Activity Actions
BrowserUse_and_ComputerUse_.../optional-skills/security/1password/SKILL.md

3.4 KiB
Raw Blame History

name description version author license metadata
1password Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in, and reading/injecting secrets for commands. 1.0.0 Hermes Agent MIT
hermes
tags category
security
secrets
1password
op
cli
security

1Password CLI

Use this skill when the user wants secrets managed through 1Password instead of plaintext env vars or files.

Requirements

  • 1Password account
  • 1Password desktop app installed and unlocked
  • 1Password CLI (op) installed
  • tmux available for stable authenticated sessions during Hermes terminal calls

When to Use

  • Install or configure 1Password CLI
  • Sign in with op signin
  • Read secret references like op://Vault/Item/field
  • Inject secrets into config/templates using op inject
  • Run commands with secret env vars via op run

Setup

  1. Install CLI:
# macOS
brew install 1password-cli

# Linux (official package/install docs)
# See references/get-started.md for distro-specific links.

# Windows (winget)
winget install AgileBits.1Password.CLI
  1. Verify:
op --version
  1. Enable app integration in 1Password desktop app:
  • macOS: Settings -> Developer -> Integrate with 1Password CLI
  • Linux/Windows: Settings -> Developer -> Integrate with 1Password CLI
  1. Ensure app is unlocked.

Hermes Execution Pattern (important)

Hermes terminal commands are non-interactive by default and can lose auth context between calls. For reliable op use, run sign-in and secret operations inside a dedicated tmux session.

SOCKET_DIR="${TMPDIR:-/tmp}/hermes-tmux-sockets"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/hermes-op.sock"
SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"

tmux -S "$SOCKET" new -d -s "$SESSION" -n shell

# Sign in (approve in desktop app when prompted)
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "eval \"\$(op signin --account my.1password.com)\"" Enter

# Verify auth
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter

# Example read
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op read 'op://Private/Npmjs/one-time password?attribute=otp'" Enter

# Capture output when needed
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200

# Cleanup
tmux -S "$SOCKET" kill-session -t "$SESSION"

Common Operations

Read a secret

op read "op://app-prod/db/password"

Get OTP

op read "op://app-prod/npm/one-time password?attribute=otp"

Inject into template

echo "db_password: {{ op://app-prod/db/password }}" | op inject

Run a command with secret env var

export OPENAI_API_KEY="op://.../api key"
op run -- sh -c '[ -n "$OPENAI_API_KEY" ] && echo "OPENAI_API_KEY is set" || echo "OPENAI_API_KEY missing"'

Guardrails

  • Never print raw secrets back to user unless they explicitly request the value.
  • Prefer op run / op inject instead of writing secrets into files.
  • If command fails with "account is not signed in", run op signin again in the same tmux session.
  • If desktop app integration is unavailable (headless/CI), use service account token flow.

CI / Headless note

For non-interactive use, authenticate with OP_SERVICE_ACCOUNT_TOKEN and avoid interactive op signin.

References