hermes-agent/optional-skills/security/1password/SKILL.md
teknium1 d1383a6b14 fix(skills): widen HERMES_HOME-aware .env resolution to all sibling skills
Follow-up to the GitHub-skills fix: the same hardcoded ~/.hermes/.env
pattern existed across other bundled and optional skills. Under the
official Docker setup (HERMES_HOME=/opt/data, subprocess HOME=/opt/data/home)
those paths point at a nonexistent file.

- kanban-video-orchestrator setup.sh.tmpl + docs: resolve via
  ${HERMES_HOME:-$HOME/.hermes}/.env in check_key()
- telephony.py / canvas_api.py / hyperliquid_client.py: error and
  save messages now report the real resolved env path instead of a
  hardcoded literal (path resolution itself was already correct)
- godmode SKILL.md: load_dotenv snippet resolves via HERMES_HOME
- watch_github.py + ~20 SKILL.md prose mentions: document the env file
  as ${HERMES_HOME:-~/.hermes}/.env so Docker users edit the right file
2026-06-10 15:10:11 -07:00

4.6 KiB

name description version author license platforms metadata setup
1password Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in, and reading/injecting secrets for commands. 1.0.0 arceus77-7, enhanced by Hermes Agent MIT
linux
macos
windows
hermes
tags category
security
secrets
1password
op
cli
security
help collect_secrets
Create a service account at https://my.1password.com → Settings → Service Accounts
env_var prompt provider_url secret
OP_SERVICE_ACCOUNT_TOKEN 1Password Service Account Token https://developer.1password.com/docs/service-accounts/ true

1Password CLI

Use this skill when the user wants secrets managed through 1Password instead of plaintext env vars or files.

Requirements

  • 1Password account
  • 1Password CLI (op) installed
  • One of: desktop app integration, service account token (OP_SERVICE_ACCOUNT_TOKEN), or Connect server
  • tmux available for stable authenticated sessions during Hermes terminal calls (desktop app flow only)

When to Use

  • Install or configure 1Password CLI
  • Sign in with op signin
  • Read secret references like op://Vault/Item/field
  • Inject secrets into config/templates using op inject
  • Run commands with secret env vars via op run

Authentication Methods

Set OP_SERVICE_ACCOUNT_TOKEN in ${HERMES_HOME:-~/.hermes}/.env (the skill will prompt for this on first load). No desktop app needed. Supports op read, op inject, op run.

export OP_SERVICE_ACCOUNT_TOKEN="your-token-here"
op whoami  # verify — should show Type: SERVICE_ACCOUNT

Desktop App Integration (interactive)

  1. Enable in 1Password desktop app: Settings → Developer → Integrate with 1Password CLI
  2. Ensure app is unlocked
  3. Run op signin and approve the biometric prompt

Connect Server (self-hosted)

export OP_CONNECT_HOST="http://localhost:8080"
export OP_CONNECT_TOKEN="your-connect-token"

Setup

  1. Install CLI:
# macOS
brew install 1password-cli

# Linux (official package/install docs)
# See references/get-started.md for distro-specific links.

# Windows (winget)
winget install AgileBits.1Password.CLI
  1. Verify:
op --version
  1. Choose an auth method above and configure it.

Hermes Execution Pattern (desktop app flow)

Hermes terminal commands are non-interactive by default and can lose auth context between calls. For reliable op use with desktop app integration, run sign-in and secret operations inside a dedicated tmux session.

Note: This is NOT needed when using OP_SERVICE_ACCOUNT_TOKEN — the token persists across terminal calls automatically.

SOCKET_DIR="${TMPDIR:-/tmp}/hermes-tmux-sockets"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/hermes-op.sock"
SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"

tmux -S "$SOCKET" new -d -s "$SESSION" -n shell

# Sign in (approve in desktop app when prompted)
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "eval \"\$(op signin --account my.1password.com)\"" Enter

# Verify auth
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter

# Example read
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op read 'op://Private/Npmjs/one-time password?attribute=otp'" Enter

# Capture output when needed
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200

# Cleanup
tmux -S "$SOCKET" kill-session -t "$SESSION"

Common Operations

Read a secret

op read "op://app-prod/db/password"

Get OTP

op read "op://app-prod/npm/one-time password?attribute=otp"

Inject into template

echo "db_password: {{ op://app-prod/db/password }}" | op inject

Run a command with secret env var

export DB_PASSWORD="op://app-prod/db/password"
op run -- sh -c '[ -n "$DB_PASSWORD" ] && echo "DB_PASSWORD is set" || echo "DB_PASSWORD missing"'

Guardrails

  • Never print raw secrets back to user unless they explicitly request the value.
  • Prefer op run / op inject instead of writing secrets into files.
  • If command fails with "account is not signed in", run op signin again in the same tmux session.
  • If desktop app integration is unavailable (headless/CI), use service account token flow.

CI / Headless note

For non-interactive use, authenticate with OP_SERVICE_ACCOUNT_TOKEN and avoid interactive op signin. Service accounts require CLI v2.18.0+.

References