mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-25 00:51:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hermes-agent/optional-skills/security/1password/SKILL.md
teknium1 9667c71df8 fix(skills): improve 1password skill — env var prompting, auth docs, broken examples 
Follow-up to PR #883 (arceus77-7):

- Add setup.collect_secrets for OP_SERVICE_ACCOUNT_TOKEN so the skill
  prompts users to configure their token on first load
- Fix broken code examples: garbled op run export line, truncated
  secret reference in cli-examples.md
- Add Authentication Methods section documenting all 3 auth flows
  (service account, desktop app, connect server) with service account
  recommended for Hermes
- Clarify tmux pattern is only needed for desktop app flow, not
  service account token flow
- Credit original author (arceus77-7) in frontmatter
- Add DESCRIPTION.md for security/ category

Co-authored-by: arceus77-7 <arceus77-7@users.noreply.github.com>
2026-03-13 08:46:49 -07:00

4.6 KiB
Raw Blame History

name description version author license metadata setup
1password Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in, and reading/injecting secrets for commands. 1.0.0 arceus77-7, enhanced by Hermes Agent MIT
hermes
tags category
security
secrets
1password
op
cli
security
help collect_secrets
Create a service account at https://my.1password.com → Settings → Service Accounts
env_var prompt provider_url secret
OP_SERVICE_ACCOUNT_TOKEN 1Password Service Account Token https://developer.1password.com/docs/service-accounts/ true

1Password CLI

Use this skill when the user wants secrets managed through 1Password instead of plaintext env vars or files.

Requirements

  • 1Password account
  • 1Password CLI (op) installed
  • One of: desktop app integration, service account token (OP_SERVICE_ACCOUNT_TOKEN), or Connect server
  • tmux available for stable authenticated sessions during Hermes terminal calls (desktop app flow only)

When to Use

  • Install or configure 1Password CLI
  • Sign in with op signin
  • Read secret references like op://Vault/Item/field
  • Inject secrets into config/templates using op inject
  • Run commands with secret env vars via op run

Authentication Methods

Service Account (recommended for Hermes)

Set OP_SERVICE_ACCOUNT_TOKEN in ~/.hermes/.env (the skill will prompt for this on first load). No desktop app needed. Supports op read, op inject, op run.

export OP_SERVICE_ACCOUNT_TOKEN="your-token-here"
op whoami  # verify — should show Type: SERVICE_ACCOUNT

Desktop App Integration (interactive)

  1. Enable in 1Password desktop app: Settings → Developer → Integrate with 1Password CLI
  2. Ensure app is unlocked
  3. Run op signin and approve the biometric prompt

Connect Server (self-hosted)

export OP_CONNECT_HOST="http://localhost:8080"
export OP_CONNECT_TOKEN="your-connect-token"

Setup

  1. Install CLI:
# macOS
brew install 1password-cli

# Linux (official package/install docs)
# See references/get-started.md for distro-specific links.

# Windows (winget)
winget install AgileBits.1Password.CLI
  1. Verify:
op --version
  1. Choose an auth method above and configure it.

Hermes Execution Pattern (desktop app flow)

Hermes terminal commands are non-interactive by default and can lose auth context between calls. For reliable op use with desktop app integration, run sign-in and secret operations inside a dedicated tmux session.

Note: This is NOT needed when using OP_SERVICE_ACCOUNT_TOKEN — the token persists across terminal calls automatically.

SOCKET_DIR="${TMPDIR:-/tmp}/hermes-tmux-sockets"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/hermes-op.sock"
SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"

tmux -S "$SOCKET" new -d -s "$SESSION" -n shell

# Sign in (approve in desktop app when prompted)
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "eval \"\$(op signin --account my.1password.com)\"" Enter

# Verify auth
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter

# Example read
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op read 'op://Private/Npmjs/one-time password?attribute=otp'" Enter

# Capture output when needed
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200

# Cleanup
tmux -S "$SOCKET" kill-session -t "$SESSION"

Common Operations

Read a secret

op read "op://app-prod/db/password"

Get OTP

op read "op://app-prod/npm/one-time password?attribute=otp"

Inject into template

echo "db_password: {{ op://app-prod/db/password }}" | op inject

Run a command with secret env var

export OPENAI_API_KEY="op://app-prod/openai/api key"
op run -- sh -c '[ -n "$OPENAI_API_KEY" ] && echo "OPENAI_API_KEY is set" || echo "OPENAI_API_KEY missing"'

Guardrails

  • Never print raw secrets back to user unless they explicitly request the value.
  • Prefer op run / op inject instead of writing secrets into files.
  • If command fails with "account is not signed in", run op signin again in the same tmux session.
  • If desktop app integration is unavailable (headless/CI), use service account token flow.

CI / Headless note

For non-interactive use, authenticate with OP_SERVICE_ACCOUNT_TOKEN and avoid interactive op signin. Service accounts require CLI v2.18.0+.

References