/1password
Use when managing secrets, credentials, API keys, or vault operations. Supports Environments (Beta) for .env mounting. Covers 1password, secrets, op, vault, migrate, credentials. NOT for: non-secret config (use regular config files).
$ golems-cli skills install 1passwordExperimental
90% best pass rate
10 assertions
3 evals
6 workflows
Updated 2 weeks ago
Secret management skill using 1Password CLI (
op). Routes to workflows for specific operations.
Prerequisites Check
Run first:
op account listIf "not signed in" or error: See workflows/troubleshoot.md
š PREFERRED: 1Password Environments (Beta)
For .env file management, use 1Password Environments instead of manual CLI migration.
Official Docs ā | Full Workflow ā
Key Insight: UI Creation, CLI Access
Environments are created in the 1Password desktop app UI - not via CLI. However, once created, CLI tools can still interact with secrets via op run and op inject.
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā ENVIRONMENTS WORKFLOW ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā ā
ā CREATION (UI Only) ACCESS (Multiple Options) ā
ā āāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāāāāāāāāāā ā
ā 1Password Desktop App āāāŗ ā¢ Mounted .env (named pipe) ā
ā ā¢ Developer > Environments ā¢ op run (env vars) ā
ā ā¢ NOT automatable ā¢ op inject (config files) ā
ā ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Why Environments?
- Secrets never on disk - Named pipe mount, not plaintext file
- Real-time sync - Changes in 1Password instantly available
- Team sharing - Grant access with granular permissions
- Multi-device - Same environment works across all your machines
Setup Flow (One-Time in Desktop App)
- Enable Developer features ā Settings > Developer > Enable Developer Experience
- Create Environment ā Developer > Environments > New Environment
- Import your .env ā Click Import or manually add variables
- Set Mount Destination ā Destinations tab > Local .env file > Choose path
- Authorize ā Confirm when prompted
Environments vs CLI: When to Use Each
| Scenario | Use Environments | Use CLI (op run/op inject) |
|---|---|---|
| Local development | ā Best choice | Works but more setup |
| CI/CD pipelines | ā Can't automate creation | ā Service accounts |
| Team secrets | ā Built-in sharing | Manual sync needed |
| One-time scripts | Overkill | ā Quick and easy |
| Template configs | N/A | ā
op inject with .tpl |
Mounted .env vs op inject
Mounted .env (Environments):
# App reads .env.local directly (named pipe, no real file)
npm run dev
# Variables available automatically via dotenvop inject (CLI):
# Template file with secret references (.env.template)
DATABASE_URL=op://prod/db/url
API_KEY=op://prod/api/key
# Inject at runtime
op inject -i .env.template -o .env && npm run build
# Remember to delete .env after!op run (CLI):
# Pass secrets as environment variables
op run --env-file .env.template -- npm run build
# No temp file created, secrets in process env onlyWorking Example: songscript
The songscript project uses Environments with 9 variables mounted to .env.local:
- Environment contains:
CONVEX_DEPLOY_KEY,ANTHROPIC_API_KEY, etc. - Destination:
.env.local(named pipe, not actual file) - Works seamlessly with
bun dev,npm run dev, etc.
Centralized MCP Secrets (Recommended for Agents)
Problem: Each MCP with op:// refs triggers separate auth prompts.
Solution: Centralize all secrets in one file, launch with op run.
~/.config/mcp-secrets/
āāā secrets.env # All op:// refs (one auth loads all)
āāā secrets.env.example # Template (safe to share)
Wrapper scripts:
cursor-secure # op run --env-file secrets.env -- cursor
claude-secure # op run --env-file secrets.env -- claude
with-secrets # op run --env-file secrets.env -- <any command>MCP configs use empty env:
{ "env": {} } // Inherits from parent processExample: Golems Configuration
The golems ecosystem uses Environments for sensitive settings:
- Create Environment in 1Password:
golems - Add variables:
NTFY_TOPIC,ANTHROPIC_API_KEY,LINEAR_API_KEY - Mount to:
~/.config/golems/.env - Usage: Scripts source the mounted file or use
op run
# Option 1: Source mounted .env
source ~/.config/golems/.env
# Option 2: Use op run with template
op run --env-file ~/.config/golems/.env.template -- bun run startImportant Limitations (Beta)
| Limitation | Details |
|---|---|
| UI-only creation | Cannot create/edit environments via CLI |
| Platform support | Mac and Linux only (no Windows) |
| Max mounts | 10 enabled .env files per device |
| Concurrent reads | May have conflicts with multiple processes |
| Edits in UI only | Changes to mounted file are lost - edit in 1Password UI |
| Beta status | Feature may change |
When to Use CLI Instead
Use op run or op inject (workflows/migrate-env.md) when:
- CI/CD pipelines - Need Service Accounts for automated access
- Scripted operations - Creating items programmatically
- Template configs -
.yml.tplor.json.tplfiles with secret refs - Windows - Environments not available on Windows
Quick Actions
| What you want to do | Workflow |
|---|---|
| Use 1Password Environments | workflows/use-environment.md |
| List secrets in vault | workflows/list-secrets.md |
| Add a new secret | workflows/add-secret.md |
| Migrate .env to 1Password | workflows/migrate-env.md |
| Migrate MCP config secrets | workflows/migrate-mcp.md |
| Fix auth/biometric issues | workflows/troubleshoot.md |
Full SKILL.md source ā includes LLM directives, anti-patterns, and technical instructions stripped from the Overview tab.
Secret management skill using 1Password CLI (
op). Routes to workflows for specific operations.
Prerequisites Check
Run first:
op account listIf "not signed in" or error: See workflows/troubleshoot.md
š PREFERRED: 1Password Environments (Beta)
For .env file management, use 1Password Environments instead of manual CLI migration.
Official Docs ā | Full Workflow ā
Key Insight: UI Creation, CLI Access
Environments are created in the 1Password desktop app UI - not via CLI. However, once created, CLI tools can still interact with secrets via op run and op inject.
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā ENVIRONMENTS WORKFLOW ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā ā
ā CREATION (UI Only) ACCESS (Multiple Options) ā
ā āāāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāāāāāāāāāā ā
ā 1Password Desktop App āāāŗ ā¢ Mounted .env (named pipe) ā
ā ā¢ Developer > Environments ā¢ op run (env vars) ā
ā ā¢ NOT automatable ā¢ op inject (config files) ā
ā ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
Why Environments?
- Secrets never on disk - Named pipe mount, not plaintext file
- Real-time sync - Changes in 1Password instantly available
- Team sharing - Grant access with granular permissions
- Multi-device - Same environment works across all your machines
Setup Flow (One-Time in Desktop App)
- Enable Developer features ā Settings > Developer > Enable Developer Experience
- Create Environment ā Developer > Environments > New Environment
- Import your .env ā Click Import or manually add variables
- Set Mount Destination ā Destinations tab > Local .env file > Choose path
- Authorize ā Confirm when prompted
Environments vs CLI: When to Use Each
| Scenario | Use Environments | Use CLI (op run/op inject) |
|---|---|---|
| Local development | ā Best choice | Works but more setup |
| CI/CD pipelines | ā Can't automate creation | ā Service accounts |
| Team secrets | ā Built-in sharing | Manual sync needed |
| One-time scripts | Overkill | ā Quick and easy |
| Template configs | N/A | ā
op inject with .tpl |
Mounted .env vs op inject
Mounted .env (Environments):
# App reads .env.local directly (named pipe, no real file)
npm run dev
# Variables available automatically via dotenvop inject (CLI):
# Template file with secret references (.env.template)
DATABASE_URL=op://prod/db/url
API_KEY=op://prod/api/key
# Inject at runtime
op inject -i .env.template -o .env && npm run build
# Remember to delete .env after!op run (CLI):
# Pass secrets as environment variables
op run --env-file .env.template -- npm run build
# No temp file created, secrets in process env onlyWorking Example: songscript
The songscript project uses Environments with 9 variables mounted to .env.local:
- Environment contains:
CONVEX_DEPLOY_KEY,ANTHROPIC_API_KEY, etc. - Destination:
.env.local(named pipe, not actual file) - Works seamlessly with
bun dev,npm run dev, etc.
Centralized MCP Secrets (Recommended for Agents)
Problem: Each MCP with op:// refs triggers separate auth prompts.
Solution: Centralize all secrets in one file, launch with op run.
~/.config/mcp-secrets/
āāā secrets.env # All op:// refs (one auth loads all)
āāā secrets.env.example # Template (safe to share)
Wrapper scripts:
cursor-secure # op run --env-file secrets.env -- cursor
claude-secure # op run --env-file secrets.env -- claude
with-secrets # op run --env-file secrets.env -- <any command>MCP configs use empty env:
{ "env": {} } // Inherits from parent processExample: Golems Configuration
The golems ecosystem uses Environments for sensitive settings:
- Create Environment in 1Password:
golems - Add variables:
NTFY_TOPIC,ANTHROPIC_API_KEY,LINEAR_API_KEY - Mount to:
~/.config/golems/.env - Usage: Scripts source the mounted file or use
op run
# Option 1: Source mounted .env
source ~/.config/golems/.env
# Option 2: Use op run with template
op run --env-file ~/.config/golems/.env.template -- bun run startImportant Limitations (Beta)
| Limitation | Details |
|---|---|
| UI-only creation | Cannot create/edit environments via CLI |
| Platform support | Mac and Linux only (no Windows) |
| Max mounts | 10 enabled .env files per device |
| Concurrent reads | May have conflicts with multiple processes |
| Edits in UI only | Changes to mounted file are lost - edit in 1Password UI |
| Beta status | Feature may change |
When to Use CLI Instead
Use op run or op inject (workflows/migrate-env.md) when:
- CI/CD pipelines - Need Service Accounts for automated access
- Scripted operations - Creating items programmatically
- Template configs -
.yml.tplor.json.tplfiles with secret refs - Windows - Environments not available on Windows
Quick Actions
| What you want to do | Workflow |
|---|---|
| Use 1Password Environments | workflows/use-environment.md |
| List secrets in vault | workflows/list-secrets.md |
| Add a new secret | workflows/add-secret.md |
| Migrate .env to 1Password | workflows/migrate-env.md |
| Migrate MCP config secrets | workflows/migrate-mcp.md |
| Fix auth/biometric issues | workflows/troubleshoot.md |
Available Scripts
Execute directly - they handle errors and edge cases:
| Script | Purpose | Usage |
|---|---|---|
scripts/migrate-env.sh | Migrate .env with project/service nesting | bash ~/.claude/commands/1password/scripts/migrate-env.sh .env [--dry-run] |
scripts/scan-mcp-secrets.sh | Find API keys in MCP configs | bash ~/.claude/commands/1password/scripts/scan-mcp-secrets.sh |
Decision Tree
Setting up secrets for a project?
- PREFERRED: Use Environments (desktop app UI)
- Use: workflows/use-environment.md
Need to find a secret?
- Search by name, tag, or vault
- Use: workflows/list-secrets.md
Adding credentials for a service?
- Create new item with password/API key
- Use: workflows/add-secret.md
Have a .env file to secure?
- For local dev: Use Environments (UI-based)
- For CI/CD: Use workflows/migrate-env.md or
scripts/migrate-env.sh
MCP configs have hardcoded keys?
- Scan and migrate to 1Password references
- Use: workflows/migrate-mcp.md
Biometric timeout or auth problems?
- Token refresh, re-auth, session issues
- Use: workflows/troubleshoot.md
Service Auto-Detection
When migrating secrets, keys are auto-categorized:
| Key prefix | Service folder |
|---|---|
ANTHROPIC_* | anthropic/ |
OPENAI_* | openai/ |
SUPABASE_* | supabase/ |
DATABASE_*, DB_* | db/ |
STRIPE_* | stripe/ |
AWS_* | aws/ |
GITHUB_* | github/ |
| Other | misc/ |
Item path format: {project}/{service}/{key}
Vault Organization
Vault Types
| Vault | Purpose | Example Items |
|---|---|---|
development | Global dev tools | context7, github CLI tokens |
Private | Personal secrets | SSH keys, personal accounts |
{project} | Project-specific | linear API key, deploy keys |
Shared | Team secrets | Shared service accounts |
Creating Vaults
# Create project vault
op vault create "myproject" --description "MyProject secrets" --icon buildings
# Create tools vault
op vault create "development" --description "Global dev tools" --icon gearsWhere to Put Secrets
Global dev tools ā development vault:
- context7, MCP tools, IDE plugins
- Used across all projects
Project-specific ā {project} vault:
- Linear API keys (per workspace)
- Deploy keys, CI/CD tokens
- Database credentials
Personal ā Private vault:
- SSH keys, personal tokens
- Accounts only you use
Tagging Strategy
Use tags for cross-vault searching and organization:
# Add tags when creating
op item create --vault development --category "API Credential" \
--title "context7" 'API_KEY[password]=xxx' \
--tags "dev-tools,mcp,documentation"
# Search by tag across all vaults
op item list --tags "mcp"
op item list --tags "dev-tools"Recommended tags:
| Tag | Use for |
|---|---|
dev-tools | Development utilities |
mcp | MCP server credentials |
ci-cd | CI/CD pipeline secrets |
api-key | Third-party API keys |
deploy | Deployment credentials |
{project} | Project name for filtering |
Reference Format
# Vault/Item/Field
op://development/context7/API_KEY
op://myproject/linear/API_KEY
op://Private/github/tokenSafety Rules
- Never log secret values - Only show masked versions
- Dry-run first - Use
--dry-runbefore actual migration - Don't delete .env files - Migration creates .env.template alongside
- Verify vault access - Run
op vault listbefore operations - Backup before bulk changes - Export vault if doing large migrations
Experimental
Best Pass Rate
90%
Opus 4.6
Assertions
10
3 models tested
Avg Cost / Run
$0.2242
across models
Fastest (p50)
1.4s
Haiku 4.5
Behavior Evals
Phase 2 baseline ā skill quality on ClaudeBehavior Baseline
Opus 4.6ā
90%9/10
Sonnet 4.6ā
90%9/10
Haiku 4.5ā
30%3/10
| Assertion | Opus 4.6 | Sonnet 4.6 | Haiku 4.5 | Consensus |
|---|---|---|---|---|
| uses-op-cli-for-secrets | 3/3 | |||
| targets-correct-vault | 1/3 | |||
| provides-value-directly | 1/3 | |||
| uses-dry-run-first | 2/3 | |||
| creates-env-template | 3/3 | |||
| does-not-delete-original-env | 2/3 | |||
| auto-categorizes-by-prefix | 2/3 | |||
| recommends-environments-for-local-dev | 2/3 | |||
| notes-ui-only-creation | 2/3 | |||
| explains-named-pipe-benefit | 3/3 |
Token Usage
Opus 4.6
16,120
Sonnet 4.6
5,083
Haiku 4.5
3,979
Input tokensOutput tokens
Cost per Run
Opus 4.6
$0.6272
Sonnet 4.6
$0.0427
Haiku 4.5
$0.0026
| Model | Input Tokens | Output Tokens | Cost / Run | Cost / 1K Runs |
|---|---|---|---|---|
| Opus 4.6 | 9,696 | 6,424 | $0.6272 | $627.20 |
| Sonnet 4.6 | 2,795 | 2,288 | $0.0427 | $42.70 |
| Haiku 4.5 | 2,367 | 1,612 | $0.0026 | $2.60 |
Response Time (p50)
Haiku 4.5
1.4s
Sonnet 4.6
2.0s
Opus 4.6
9.3s
Response Time (p95)
Haiku 4.5
2.1s
Sonnet 4.6
3.1s
Opus 4.6
15.1s
| Model | p50 | p95 | Overhead |
|---|---|---|---|
| Opus 4.6 | 9.3s | 15.1s | +62% |
| Sonnet 4.6 | 2.0s | 3.1s | +54% |
| Haiku 4.5 | 1.4s | 2.1s | +51% |
Last evaluated: 2026-03-12 Ā· Data is generated from skill assertions (real cross-model benchmarks coming soon)
Changelog entries are derived from eval runs and skill version updates. Full cascading changelog (Phase 4D) coming soon.
Eval Run2026-03-12mock
Best Pass Rate
90%
Assertions
10
Models Tested
3
Evals Run
3
āOpus 4.690%(9/10 assertions)
āSonnet 4.690%(9/10 assertions)
āHaiku 4.530%(3/10 assertions)
v1.0 ā Last Updated2026-03-14
- +Initial release to Golems skill library
- +10 assertions across 3 eval scenarios
- +6 workflows included: list-secrets, migrate-env, troubleshoot, use-environment, migrate-mcp, add-secret
Workflows
/1password:list-secrets/1password:migrate-env/1password:troubleshoot/1password:use-environment/1password:migrate-mcp/1password:add-secret