1passwordlisted

# 1Password CLI Use this skill for host-side secret workflows with 1Password CLI. ## Default Workflow 1. Check whether `op` is installed: ```bash op --version ``` 2. If it is missing, tell the user to run: ```bash hybridclaw skill install 1password op ``` or install it manually. 3. Verify sign-in state: ```bash op whoami op vault list ``` 4. Confirm the exact vault and item before reading any secret. 5. Prefer secret injection over copying values into files or chat. ## Safe Read Patterns List items: ```bash op item list --vault "Engineering" ``` Inspect an item without dumping every field: ```bash op item get "Prod API" --vault "Engineering" ``` Read one field only: ```bash op item get "Prod API" --vault "Engineering" --fields label=password ``` Read by secret reference: ```bash op read "op://Engineering/Prod API/password" ``` ## Safe Injection Patterns Run a command with secrets injected: ```bash op run --env-file=.env.1password -- your-command ``` Inject a template into a throwaway runtime file: ```bash RUNTIME_ENV="$(mktemp /tmp/runtime.env.XXXXXX)" chmod 600 "$RUNTIME_ENV" trap 'rm -f "$RUNTIME_ENV"' EXIT INT TERM op inject -i .env.template -o "$RUNTIME_ENV" ``` Prefer `/tmp` or an untracked runtime path. Do not inject into tracked files unless the user explicitly asks. If you are done before the shell exits, run `rm -f "$RUNTIME_ENV"` and `trap - EXIT INT TERM`. ## Rules - Never paste a secret value into chat unless th