← Back to Skills Marketplace
startupbros

Bitwarden Vault CLI

by StartupBros · GitHub ↗ · v1.0.0
cross-platform ✓ Security Clean
3197
Downloads
6
Stars
12
Active Installs
1
Versions
Install in OpenClaw
/install bitwarden-vault
Description
Set up and use Bitwarden CLI (bw). Use when installing the CLI, authenticating (login/unlock), or reading secrets from your vault. Supports email/password, API key, and SSO authentication methods.
README (SKILL.md)

Bitwarden CLI Skill

The Bitwarden command-line interface (CLI) provides full access to your Bitwarden vault for retrieving passwords, secure notes, and other secrets programmatically.

Workflow Requirements

CRITICAL: Always run bw commands inside a dedicated tmux session. The CLI requires a session key (BW_SESSION) for all vault operations after authentication. A tmux session preserves this environment variable across commands.

Required Workflow

  1. Verify CLI installation: Run bw --version to confirm the CLI is available
  2. Create a dedicated tmux session: tmux new-session -d -s bw-session
  3. Attach and authenticate: Run bw login or bw unlock inside the session
  4. Export session key: After unlock, export BW_SESSION as instructed by the CLI
  5. Execute vault commands: Use bw get, bw list, etc. within the same session

Authentication Methods

Method Command Use Case
Email/Password bw login Interactive sessions, first-time setup
API Key bw login --apikey Automation, scripts (requires separate unlock)
SSO bw login --sso Enterprise/organization accounts

After bw login with email/password, your vault is automatically unlocked. For API key or SSO login, you must subsequently run bw unlock to decrypt the vault.

Session Key Management

The unlock command outputs a session key. You must export it:

# Bash/Zsh
export BW_SESSION="\x3Csession_key_from_unlock>"

# Or capture automatically
export BW_SESSION=$(bw unlock --raw)

Session keys remain valid until you run bw lock or bw logout. They do not persist across terminal windows—hence the tmux requirement.

Reading Secrets

# Get password by item name
bw get password "GitHub"

# Get username
bw get username "GitHub"

# Get TOTP code
bw get totp "GitHub"

# Get full item as JSON
bw get item "GitHub"

# Get specific field
bw get item "GitHub" | jq -r '.fields[] | select(.name=="api_key") | .value'

# List all items
bw list items

# Search items
bw list items --search "github"

Security Guardrails

  • NEVER expose secrets in logs, code, or command output visible to users
  • NEVER write secrets to disk unless absolutely necessary
  • ALWAYS use bw lock when finished with vault operations
  • PREFER reading secrets directly into environment variables or piping to commands
  • If you receive "Vault is locked" errors, re-authenticate with bw unlock
  • If you receive "You are not logged in" errors, run bw login first
  • Stop and request assistance if tmux is unavailable on the system

Environment Variables

Variable Purpose
BW_SESSION Session key for vault decryption (required for all vault commands)
BW_CLIENTID API key client ID (for --apikey login)
BW_CLIENTSECRET API key client secret (for --apikey login)
BITWARDENCLI_APPDATA_DIR Custom config directory (enables multi-account setups)

Self-Hosted Servers

For Vaultwarden or self-hosted Bitwarden:

bw config server https://your-bitwarden-server.com

Reference Documentation

Usage Guidance
This skill appears to do what it says (help you install and use the Bitwarden CLI). Before installing or using it: 1) Verify the bw binary you install is the official Bitwarden client (use Homebrew, the official npm package @bitwarden/cli, Chocolatey, snap, or official downloads) and check signatures/URLs where possible. 2) Be cautious exporting BW_SESSION or vault secrets into long-lived shells or files — any process that shares the session or the environment can read those values. Prefer transient, short-lived sessions and run bw commands in isolated shells or ephemeral processes; run bw lock or bw logout when finished. 3) Avoid writing secrets to disk or logs; if automation requires secrets as env vars, scope their lifetime and revoke or re-lock afterward. 4) When using npm/global installs, ensure your node environment and package sources are trusted. 5) If you will allow an autonomous agent to use this skill, explicitly decide whether you want the agent to access your vault and consider limiting its access (create limited API keys or separate vault items).
Capability Analysis
Type: OpenClaw Skill Name: bitwarden-vault Version: 1.0.0 The OpenClaw AgentSkills bundle for Bitwarden CLI is classified as benign. While it inherently deals with sensitive data (secrets) and requires shell/network access, these capabilities are directly aligned with its stated purpose of managing a Bitwarden vault. The `SKILL.md` file includes explicit 'Security Guardrails' instructing the AI agent to 'NEVER expose secrets in logs' and 'NEVER write secrets to disk', actively mitigating potential misuse. There is no evidence of intentional harmful behavior such as data exfiltration to unauthorized endpoints, persistence mechanisms, or malicious prompt injection attempts to subvert the agent's purpose.
Capability Assessment
Purpose & Capability
Name, description, required binary (bw), and install spec (homebrew/npm/choco/snap/native) all match the stated goal of providing Bitwarden CLI usage. There are no unrelated binaries, credentials, or config paths requested that don't belong to a password-manager CLI skill.
Instruction Scope
SKILL.md contains explicit runtime instructions to create a tmux session, run bw login/unlock, export BW_SESSION, and use bw get/list commands to read secrets. Those steps are coherent for a CLI-first Bitwarden workflow. The instructions also encourage piping secrets into environment variables and other commands — this is expected for automation but increases risk of accidental exposure. The file references environment variables (BW_SESSION, BW_CLIENTID, BW_CLIENTSECRET, BITWARDENCLI_APPDATA_DIR) even though the registry 'requires.env' is empty; this is normal (they are standard Bitwarden variables) but worth noting.
Install Mechanism
Install options are standard package sources (Homebrew formula, npm package @bitwarden/cli, Chocolatey, snap, and direct binaries). No arbitrary or shortened URLs or extracted archives from unknown hosts are used in the provided install metadata. npm/global installs carry the usual supply-chain caveats but are expected for this tool.
Credentials
The skill does not request platform credentials or secrets itself (requires.env is empty), but the runtime instructions require and show how to export sensitive values (BW_SESSION, BW_CLIENTID, BW_CLIENTSECRET) and how to pull vault secrets into process environment variables (e.g., exporting AWS keys). That behavior is intrinsic to a secrets-management skill but is sensitive: exporting session tokens or secrets into shell environment increases the attack surface (other processes, logs, shell history).
Persistence & Privilege
Skill does not request always:true and does not attempt to modify other skills or system-wide agent settings. It's instruction-only and has no persistent installation behavior beyond installing the expected bw binary via normal package managers.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install bitwarden-vault
  3. After installation, invoke the skill by name or use /bitwarden-vault
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Bitwarden password manager CLI skill with email/password, API key, and SSO auth. Supports self-hosted Vaultwarden. tmux workflow for session management. Full reference docs included.
Metadata
Slug bitwarden-vault
Version 1.0.0
License
All-time Installs 12
Active Installs 12
Total Versions 1
Frequently Asked Questions

What is Bitwarden Vault CLI?

Set up and use Bitwarden CLI (bw). Use when installing the CLI, authenticating (login/unlock), or reading secrets from your vault. Supports email/password, API key, and SSO authentication methods. It is an AI Agent Skill for Claude Code / OpenClaw, with 3197 downloads so far.

How do I install Bitwarden Vault CLI?

Run "/install bitwarden-vault" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Bitwarden Vault CLI free?

Yes, Bitwarden Vault CLI is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Bitwarden Vault CLI support?

Bitwarden Vault CLI is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Bitwarden Vault CLI?

It is built and maintained by StartupBros (@startupbros); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments