Learn-skills.dev op-cli
Secure 1Password CLI patterns for reading secrets, discovering vaults/items, and piping credentials to other tools. Use when reading from 1Password, rotating secrets, or piping credentials to wrangler/kubectl/etc. Triggers on op CLI, 1Password, secret rotation, or credential piping tasks.
install
source · Clone the upstream repo
git clone https://github.com/NeverSight/learn-skills.dev
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/NeverSight/learn-skills.dev "$T" && mkdir -p ~/.claude/skills && cp -r "$T/data/skills-md/0xbigboss/claude-code/op-cli" ~/.claude/skills/neversight-learn-skills-dev-op-cli && rm -rf "$T"
manifest:
data/skills-md/0xbigboss/claude-code/op-cli/SKILL.mdsource content
1Password CLI (op
) — Secure Handling
opCore Rule: Never Print Secrets
NEVER use
opwc -c# WRONG — would print secret to stdout (do not run) # op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal # RIGHT — pipe directly to consumer op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal | \ wrangler secret put SECRET_NAME --env ENV # RIGHT — verify a value exists without exposing it op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal 2>/dev/null | wc -c
Item Titles with Slashes
Many 1Password items use path-style titles (e.g.
pool-party/testnet-pool-party-public/credentialsop:///# BROKEN — too many '/' segments op read "op://pool-party-testnet/pool-party/testnet-pool-party-public/credentials/PASSWORD" # ERROR: too many '/': secret references should match op://<vault>/<item>[/<section>]/<field> # WORKS — use item ID instead (avoid printing values) op item get ITEM_ID --vault VAULT --fields label=FIELD --reveal 2>/dev/null | wc -c
Discovery Workflow
When you don't know the item ID:
# 1. List items in a vault to find the title and ID op item list --vault VAULT_NAME # 2. Use the ID (first column) for all subsequent reads op item get ITEM_ID --vault VAULT_NAME --fields label=FIELD_NAME --reveal 2>/dev/null | wc -c
Reading Multiple Fields from One Item
# Verify which fields exist (safe — shows labels not values) op item get ITEM_ID --vault VAULT_NAME --format json 2>/dev/null | \ python3 -c "import json,sys; [print(f['label']) for s in json.load(sys.stdin).get('fields',[]) for f in [s] if f.get('label')]" # Pipe each field to its destination op item get ITEM_ID --vault VAULT --fields label=USERNAME --reveal | consumer_cmd ... op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal | consumer_cmd ...
Common Piping Patterns
Cloudflare Workers (wrangler)
op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal | \ npx wrangler secret put POOL_PARTY_PUBLIC_PASSWORD --env testnet
Environment Variable (subshell)
SECRET="$(op item get ITEM_ID --vault VAULT --fields label=TOKEN --reveal 2>/dev/null)" # Use $SECRET in subsequent commands within the same shell — it won't appear in output
kubectl
op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal | \ kubectl create secret generic my-secret --from-file=password=/dev/stdin
Verification Without Exposure
# Check a value is non-empty (char count) op item get ITEM_ID --vault VAULT --fields label=PASSWORD --reveal 2>/dev/null | wc -c # Compare two sources match (exit code only) if cmp -s <(op item get ID1 --vault V --fields label=F --reveal 2>/dev/null) \ <(op item get ID2 --vault V --fields label=F --reveal 2>/dev/null); then echo "match" else echo "differ" fi
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
| Item title has slashes, | Use item ID with |
| Wrong vault or title mismatch | Run |
| Empty output | Missing | Add |
| Session expired | Run |