ReddRadar
Agent skill
1password
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in, and reading/injecting secrets for commands.
Install this agent skill to your Project
npx add-skill https://github.com/NousResearch/hermes-agent/tree/main/optional-skills/security/1password
Metadata
Additional technical details for this skill
- hermes
-
{ "tags": [ "security", "secrets", "1password", "op", "cli" ], "category": "security" }
SKILL.md
1Password CLI
Use this skill when the user wants secrets managed through 1Password instead of plaintext env vars or files.
Requirements
- 1Password account
- 1Password CLI (
op) installed - One of: desktop app integration, service account token (
OP_SERVICE_ACCOUNT_TOKEN), or Connect server tmuxavailable for stable authenticated sessions during Hermes terminal calls (desktop app flow only)
When to Use
- Install or configure 1Password CLI
- Sign in with
op signin - Read secret references like
op://Vault/Item/field - Inject secrets into config/templates using
op inject - Run commands with secret env vars via
op run
Authentication Methods
Service Account (recommended for Hermes)
Set OP_SERVICE_ACCOUNT_TOKEN in ~/.hermes/.env (the skill will prompt for this on first load).
No desktop app needed. Supports op read, op inject, op run.
export OP_SERVICE_ACCOUNT_TOKEN="your-token-here"
op whoami # verify — should show Type: SERVICE_ACCOUNT
Desktop App Integration (interactive)
- Enable in 1Password desktop app: Settings → Developer → Integrate with 1Password CLI
- Ensure app is unlocked
- Run
op signinand approve the biometric prompt
Connect Server (self-hosted)
export OP_CONNECT_HOST="http://localhost:8080"
export OP_CONNECT_TOKEN="your-connect-token"
Setup
- Install CLI:
# macOS
brew install 1password-cli
# Linux (official package/install docs)
# See references/get-started.md for distro-specific links.
# Windows (winget)
winget install AgileBits.1Password.CLI
- Verify:
op --version
- Choose an auth method above and configure it.
Hermes Execution Pattern (desktop app flow)
Hermes terminal commands are non-interactive by default and can lose auth context between calls.
For reliable op use with desktop app integration, run sign-in and secret operations inside a dedicated tmux session.
Note: This is NOT needed when using OP_SERVICE_ACCOUNT_TOKEN — the token persists across terminal calls automatically.
SOCKET_DIR="${TMPDIR:-/tmp}/hermes-tmux-sockets"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/hermes-op.sock"
SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"
tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
# Sign in (approve in desktop app when prompted)
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "eval \"\$(op signin --account my.1password.com)\"" Enter
# Verify auth
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter
# Example read
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op read 'op://Private/Npmjs/one-time password?attribute=otp'" Enter
# Capture output when needed
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200
# Cleanup
tmux -S "$SOCKET" kill-session -t "$SESSION"
Common Operations
Read a secret
op read "op://app-prod/db/password"
Get OTP
op read "op://app-prod/npm/one-time password?attribute=otp"
Inject into template
echo "db_password: {{ op://app-prod/db/password }}" | op inject
Run a command with secret env var
export DB_PASSWORD="op://app-prod/db/password"
op run -- sh -c '[ -n "$DB_PASSWORD" ] && echo "DB_PASSWORD is set" || echo "DB_PASSWORD missing"'
Guardrails
- Never print raw secrets back to user unless they explicitly request the value.
- Prefer
op run/op injectinstead of writing secrets into files. - If command fails with "account is not signed in", run
op signinagain in the same tmux session. - If desktop app integration is unavailable (headless/CI), use service account token flow.
CI / Headless note
For non-interactive use, authenticate with OP_SERVICE_ACCOUNT_TOKEN and avoid interactive op signin.
Service accounts require CLI v2.18.0+.
References
references/get-started.mdreferences/cli-examples.md- https://developer.1password.com/docs/cli/
- https://developer.1password.com/docs/service-accounts/
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
NousResearch/hermes-agent
agentmail
Give the agent its own dedicated email inbox via AgentMail. Send, receive, and manage email autonomously using agent-owned email addresses (e.g. hermes-agent@agentmail.to).
NousResearch/hermes-agent
base
Query Base (Ethereum L2) blockchain data with USD pricing — wallet balances, token info, transaction details, gas analysis, contract inspection, whale detection, and live network stats. Uses Base RPC + CoinGecko. No API key required.
NousResearch/hermes-agent
solana
Query Solana blockchain data with USD pricing — wallet balances, token portfolios with values, transaction details, NFTs, whale detection, and live network stats. Uses Solana RPC + CoinGecko. No API key required.
NousResearch/hermes-agent
one-three-one-rule
Structured decision-making framework for technical proposals and trade-off analysis. When the user faces a choice between multiple approaches (architecture decisions, tool selection, refactoring strategies, migration paths), this skill produces a 1-3-1 format: one clear problem statement, three distinct options with pros/cons, and one concrete recommendation with definition of done and implementation plan. Use when the user asks for a "1-3-1", says "give me options", or needs help choosing between competing approaches.
NousResearch/hermes-agent
fastmcp
Build, test, inspect, install, and deploy MCP servers with FastMCP in Python. Use when creating a new MCP server, wrapping an API or database as MCP tools, exposing resources or prompts, or preparing a FastMCP server for Claude Code, Cursor, or HTTP deployment.
NousResearch/hermes-agent
qdrant-vector-search
High-performance vector similarity search engine for RAG and semantic search. Use when building production RAG systems requiring fast nearest neighbor search, hybrid search with filtering, or scalable vector storage with Rust-powered performance.
Didn't find tool you were looking for?