Timmy_Foundation/hermes-agent
15
0
Fork 0
Code Issues 279 Pull Requests 76 Actions 1 Packages Projects Releases Wiki Activity
Files
70e24d77a17be3e4e1e86e5f0a4eae8889c580a4
hermes-agent/optional-skills/security/1password/SKILL.md
teknium1 938edc6466 fix(skills): use generic example in 1password op run snippet 
Replace OPENAI_API_KEY with DB_PASSWORD to avoid implying the
skill is OpenAI-related.
2026-03-13 08:56:06 -07:00

4.5 KiB
Raw Blame History

name, description, version, author, license, metadata, setup
name description version author license metadata setup
1password Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in, and reading/injecting secrets for commands. 1.0.0 arceus77-7, enhanced by Hermes Agent MIT
hermes
tags category
security
secrets
1password
op
cli
security
help collect_secrets
Create a service account at https://my.1password.com → Settings → Service Accounts
env_var prompt provider_url secret
OP_SERVICE_ACCOUNT_TOKEN 1Password Service Account Token https://developer.1password.com/docs/service-accounts/ true

1Password CLI

Use this skill when the user wants secrets managed through 1Password instead of plaintext env vars or files.

Requirements

  • 1Password account
  • 1Password CLI (op) installed
  • One of: desktop app integration, service account token (OP_SERVICE_ACCOUNT_TOKEN), or Connect server
  • tmux available for stable authenticated sessions during Hermes terminal calls (desktop app flow only)

When to Use

  • Install or configure 1Password CLI
  • Sign in with op signin
  • Read secret references like op://Vault/Item/field
  • Inject secrets into config/templates using op inject
  • Run commands with secret env vars via op run

Authentication Methods

Service Account (recommended for Hermes)

Set OP_SERVICE_ACCOUNT_TOKEN in ~/.hermes/.env (the skill will prompt for this on first load). No desktop app needed. Supports op read, op inject, op run.

export OP_SERVICE_ACCOUNT_TOKEN="your-token-here"
op whoami  # verify — should show Type: SERVICE_ACCOUNT

Desktop App Integration (interactive)

  1. Enable in 1Password desktop app: Settings → Developer → Integrate with 1Password CLI
  2. Ensure app is unlocked
  3. Run op signin and approve the biometric prompt

Connect Server (self-hosted)

export OP_CONNECT_HOST="http://localhost:8080"
export OP_CONNECT_TOKEN="your-connect-token"

Setup

  1. Install CLI:
# macOS
brew install 1password-cli

# Linux (official package/install docs)
# See references/get-started.md for distro-specific links.

# Windows (winget)
winget install AgileBits.1Password.CLI
  1. Verify:
op --version
  1. Choose an auth method above and configure it.

Hermes Execution Pattern (desktop app flow)

Hermes terminal commands are non-interactive by default and can lose auth context between calls. For reliable op use with desktop app integration, run sign-in and secret operations inside a dedicated tmux session.

Note: This is NOT needed when using OP_SERVICE_ACCOUNT_TOKEN — the token persists across terminal calls automatically.

SOCKET_DIR="${TMPDIR:-/tmp}/hermes-tmux-sockets"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/hermes-op.sock"
SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"

tmux -S "$SOCKET" new -d -s "$SESSION" -n shell

# Sign in (approve in desktop app when prompted)
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "eval \"\$(op signin --account my.1password.com)\"" Enter

# Verify auth
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter

# Example read
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op read 'op://Private/Npmjs/one-time password?attribute=otp'" Enter

# Capture output when needed
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200

# Cleanup
tmux -S "$SOCKET" kill-session -t "$SESSION"

Common Operations

Read a secret

op read "op://app-prod/db/password"

Get OTP

op read "op://app-prod/npm/one-time password?attribute=otp"

Inject into template

echo "db_password: {{ op://app-prod/db/password }}" | op inject

Run a command with secret env var

export DB_PASSWORD="op://app-prod/db/password"
op run -- sh -c '[ -n "$DB_PASSWORD" ] && echo "DB_PASSWORD is set" || echo "DB_PASSWORD missing"'

Guardrails

  • Never print raw secrets back to user unless they explicitly request the value.
  • Prefer op run / op inject instead of writing secrets into files.
  • If command fails with "account is not signed in", run op signin again in the same tmux session.
  • If desktop app integration is unavailable (headless/CI), use service account token flow.

CI / Headless note

For non-interactive use, authenticate with OP_SERVICE_ACCOUNT_TOKEN and avoid interactive op signin. Service accounts require CLI v2.18.0+.

References

Reference in New Issue View Git Blame Copy Permalink