← Back to Skills Marketplace
1484
Downloads
0
Stars
2
Active Installs
12
Versions
Install in OpenClaw
/install bw-cli
Description
Securely interact with Bitwarden password manager via the bw CLI. Covers authentication (login/unlock/logout), vault operations (list/get/create/edit/delete...
README (SKILL.md)
Bitwarden CLI
Complete reference for interacting with Bitwarden via the command-line interface.
Official documentation: https://bitwarden.com/help/cli/
Markdown version (for agents): https://bitwarden.com/help/cli.md
Quick Reference
Installation
# Native executable (recommended)
# https://bitwarden.com/download/?app=cli
# npm
npm install -g @bitwarden/cli
# Linux package managers
choco install bitwarden-cli # Windows via Chocolatey
snap install bw # Linux via Snap
Authentication Flow (Preferred: Unlock First)
Standard-Workflow (unlock-first):
# 1. Try unlock first (fast, most common case)
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null)
# 2. Only if unlock fails, fall back to login
if [ -z "$BW_SESSION" ]; then
bw login "$BW_EMAIL" "$BW_PASSWORD"
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)
fi
# 3. Sync before any vault operation
bw sync
# 4. End session
bw lock # Lock (keep login)
bw logout # Complete logout
Alternative: Direct login methods
bw login # Interactive login (email + password)
bw login --apikey # API key login (uses BW_CLIENTID/BW_CLIENTSECRET from .secrets)
bw login --sso # SSO login
bw unlock # Interactive unlock
bw unlock --passwordenv BW_PASSWORD # Auto-available from sourced .secrets
Session & Configuration Commands
status
Check authentication and vault status:
bw status
Returns: unauthenticated, locked, or unlocked.
config
Configure CLI settings:
# Set server (self-hosted or regional)
bw config server https://vault.example.com
bw config server https://vault.bitwarden.eu # EU cloud
bw config server # Check current
# Individual service URLs
bw config server --web-vault \x3Curl> --api \x3Curl> --identity \x3Curl>
sync
Sync local vault with server (always run before vault operations):
bw sync # Full sync
bw sync --last # Show last sync timestamp
update
Check for updates (does not auto-install):
bw update
serve
Start REST API server:
bw serve --port 8087 --hostname localhost
Vault Item Commands
list
List vault objects:
# Items
bw list items
bw list items --search github
bw list items --folderid \x3Cid> --collectionid \x3Cid>
bw list items --url https://example.com
bw list items --trash # Items in trash
# Folders
bw list folders
# Collections
bw list collections # All collections
bw list org-collections --organizationid \x3Cid> # Org collections
# Organizations
bw list organizations
bw list org-members --organizationid \x3Cid>
get
Retrieve single values or items:
# Get specific fields (by name or ID)
bw get password "GitHub"
bw get username "GitHub"
bw get totp "GitHub" # 2FA code
bw get notes "GitHub"
bw get uri "GitHub"
# Get full item JSON
bw get item "GitHub"
bw get item \x3Cuuid> --pretty
# Other objects
bw get folder \x3Cid>
bw get collection \x3Cid>
bw get organization \x3Cid>
bw get org-collection \x3Cid> --organizationid \x3Cid>
# Templates for create operations
bw get template item
bw get template item.login
bw get template item.card
bw get template item.identity
bw get template item.securenote
bw get template folder
bw get template collection
bw get template item-collections
# Security
bw get fingerprint \x3Cuser-id>
bw get fingerprint me
bw get exposed \x3Cpassword> # Check if password is breached
# Attachments
bw get attachment \x3Cfilename> --itemid \x3Cid> --output /path/
create
Create new objects:
# Create folder
bw get template folder | jq '.name="Work"' | bw encode | bw create folder
# Create login item
bw get template item | jq \
'.name="Service" | .login=$(bw get template item.login | jq '.username="[email protected]" | .password="secret"')' \
| bw encode | bw create item
# Create secure note (type=2)
bw get template item | jq \
'.type=2 | .secureNote.type=0 | .name="Note" | .notes="Content"' \
| bw encode | bw create item
# Create card (type=3)
bw get template item | jq \
'.type=3 | .name="My Card" | .card=$(bw get template item.card | jq '.number="4111..."')' \
| bw encode | bw create item
# Create identity (type=4)
bw get template item | jq \
'.type=4 | .name="My Identity" | .identity=$(bw get template item.identity)' \
| bw encode | bw create item
# Create SSH key (type=5)
bw get template item | jq \
'.type=5 | .name="My SSH Key"' \
| bw encode | bw create item
# Attach file to existing item
bw create attachment --file ./doc.pdf --itemid \x3Cuuid>
Item types: 1=Login, 2=Secure Note, 3=Card, 4=Identity, 5=SSH Key.
edit
Modify existing objects:
# Edit item
bw get item \x3Cid> | jq '.login.password="newpass"' | bw encode | bw edit item \x3Cid>
# Edit folder
bw get folder \x3Cid> | jq '.name="New Name"' | bw encode | bw edit folder \x3Cid>
# Edit item collections
echo '["collection-uuid"]' | bw encode | bw edit item-collections \x3Citem-id> --organizationid \x3Cid>
# Edit org collection
bw get org-collection \x3Cid> --organizationid \x3Cid> | jq '.name="New Name"' | bw encode | bw edit org-collection \x3Cid> --organizationid \x3Cid>
delete
Remove objects:
# Send to trash (recoverable 30 days)
bw delete item \x3Cid>
bw delete folder \x3Cid>
bw delete attachment \x3Cid> --itemid \x3Cid>
bw delete org-collection \x3Cid> --organizationid \x3Cid>
# Permanent delete (irreversible!)
bw delete item \x3Cid> --permanent
restore
Recover from trash:
bw restore item \x3Cid>
Password Generation
generate
Generate passwords or passphrases:
# Password (default: 14 chars)
bw generate
bw generate --uppercase --lowercase --number --special --length 20
bw generate -ulns --length 32
# Passphrase
bw generate --passphrase --words 4 --separator "-" --capitalize --includeNumber
Send Commands (Secure Sharing)
send
Create ephemeral shares:
# Text Send
bw send -n "Secret" -d 7 --hidden "This text vanishes in 7 days"
# File Send
bw send -n "Doc" -d 14 -f /path/to/file.pdf
# Advanced options
bw send --password accesspass -f file.txt
receive
Access received Sends:
bw receive \x3Curl> --password \x3Cpass>
Organization Commands
move
Share items to organization:
echo '["collection-uuid"]' | bw encode | bw move \x3Citem-id> \x3Corganization-id>
confirm
Confirm invited members:
bw get fingerprint \x3Cuser-id>
bw confirm org-member \x3Cuser-id> --organizationid \x3Cid>
device-approval
Manage device approvals:
bw device-approval list --organizationid \x3Cid>
bw device-approval approve \x3Crequest-id> --organizationid \x3Cid>
bw device-approval approve-all --organizationid \x3Cid>
bw device-approval deny \x3Crequest-id> --organizationid \x3Cid>
bw device-approval deny-all --organizationid \x3Cid>
Import & Export
import
Import from other password managers:
bw import --formats # List supported formats
bw import lastpasscsv ./export.csv
bw import bitwardencsv ./import.csv --organizationid \x3Cid>
export
Export vault data:
bw export # CSV format
bw export --format json
bw export --format encrypted_json
bw export --format encrypted_json --password \x3Ccustom-pass>
bw export --format zip # Includes attachments
bw export --output /path/ --raw # Output to file or stdout
bw export --organizationid \x3Cid> --format json
Utilities
encode
Base64 encode JSON for create/edit operations:
bw get template folder | jq '.name="Test"' | bw encode | bw create folder
generate (password)
See Password Generation.
Global Options
Available on all commands:
--pretty # Format JSON output with tabs
--raw # Return raw output
--response # JSON formatted response
--quiet # No stdout (use for piping secrets)
--nointeraction # Don't prompt for input
--session \x3Ckey> # Pass session key directly
--version # CLI version
--help # Command help
Security Reference
Secure Password Storage (Workspace .secrets)
Store the master password in a .secrets file in the workspace root and auto-load it:
# Create .secrets file
mkdir -p ~/.openclaw/workspace
echo "BW_PASSWORD=your_master_password" > ~/.openclaw/workspace/.secrets
chmod 600 ~/.openclaw/workspace/.secrets
# Add to .gitignore
echo ".secrets" >> ~/.openclaw/workspace/.gitignore
# Auto-source in shell config (run once)
echo 'source ~/.openclaw/workspace/.secrets 2>/dev/null' >> ~/.bashrc
# OR for zsh:
echo 'source ~/.openclaw/workspace/.secrets 2>/dev/null' >> ~/.zshrc
Now BW_PASSWORD is always available:
bw unlock --passwordenv BW_PASSWORD
Security requirements:
- File must be mode
600(user read/write only) - Must add
.secretsto.gitignore - Never commit the .secrets file
- Auto-sourcing happens on new shell sessions; run
source ~/.openclaw/workspace/.secretsfor current session
API Key Authentication (Workspace .secrets)
For automated/API key login, store credentials in the same .secrets file:
# Add API credentials to .secrets
echo "BW_CLIENTID=user.xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" >> ~/.openclaw/workspace/.secrets
echo "BW_CLIENTSECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" >> ~/.openclaw/workspace/.secrets
chmod 600 ~/.openclaw/workspace/.secrets
Login with API key:
bw login --apikey
⚠️ Known Issue / Workaround
On some self-hosted Vaultwarden instances, bw login --apikey may fail with:
User Decryption Options are required for client initialization
Workaround - Use Email/Password Login:
# Add EMAIL to .secrets
echo "[email protected]" >> ~/.openclaw/workspace/.secrets
# Login with email + password (instead of --apikey)
bw login "$BW_EMAIL" "$BW_PASSWORD"
# Or as one-liner
set -a && source ~/.openclaw/workspace/.secrets && set +a && bw login "$BW_EMAIL" "$BW_PASSWORD"
# Then unlock as usual
bw unlock --passwordenv BW_PASSWORD
Full workflow (recommended for self-hosted):
# Source the .secrets file
set -a && source ~/.openclaw/workspace/.secrets && set +a
# Try unlock first (faster, works if already logged in)
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null)
# Only login if unlock failed (vault not initialized)
if [ -z "$BW_SESSION" ]; then
bw login "$BW_EMAIL" "$BW_PASSWORD"
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)
fi
# Ready to use
bw sync
bw list items
Get your API key: https://bitwarden.com/help/personal-api-key/
Environment Variables
BW_CLIENTID # API key client_id
BW_CLIENTSECRET # API key client_secret
BW_PASSWORD # Master password for unlock
BW_SESSION # Session key (auto-used by CLI)
BITWARDENCLI_DEBUG=true # Enable debug output
NODE_EXTRA_CA_CERTS # Self-signed certs path
BITWARDENCLI_APPDATA_DIR # Custom config directory
Two-Step Login Methods
Method values: 0=Authenticator, 1=Email, 3=YubiKey.
bw login [email protected] password --method 0 --code 123456
URI Match Types
Values: 0=Domain, 1=Host, 2=Starts With, 3=Exact, 4=Regex, 5=Never.
Field Types
Values: 0=Text, 1=Hidden, 2=Boolean.
Organization User Types
0=Owner, 1=Admin, 2=User, 3=Manager, 4=Custom.
Organization User Statuses
0=Invited, 1=Accepted, 2=Confirmed, -1=Revoked.
Best Practices
- Unlock first, login only if needed: Try
bw unlockfirst as it's faster; only runbw loginif unlock fails (vault not initialized) - Always sync: Run
bw syncbefore any vault operation - Secure session: Use
bw lockwhen done - Protect secrets: Never log BW_SESSION or BW_PASSWORD
- Secure storage: Keep .secrets file at mode 600, never commit it
- Auto-source: Add to ~/.bashrc or ~/.zshrc for persistent env vars
- Verify fingerprints: Before confirming org members
Troubleshooting
| Issue | Solution |
|---|---|
| "Bot detected" | Use --apikey or provide client_secret |
| "Vault is locked" | Run bw unlock and export BW_SESSION |
| Self-signed cert error | Set NODE_EXTRA_CA_CERTS |
| Need debug info | export BITWARDENCLI_DEBUG=true |
References:
- HTML documentation: https://bitwarden.com/help/cli/
- Markdown (fetchable): https://bitwarden.com/help/cli.md
- Personal API Key: https://bitwarden.com/help/personal-api-key/
Usage Guidance
This skill is essentially a detailed reference for the official Bitwarden CLI and is coherent with that purpose, but exercise caution before installing or using it:
- The SKILL.md expects you to use sensitive environment variables (BW_PASSWORD, BW_SESSION, BW_CLIENTID, BW_CLIENTSECRET) and password files, yet the skill metadata lists no required env vars. That mismatch means the skill may instruct the agent to read/write secrets without the metadata making that explicit. Treat any prompts or instructions that export secrets into env vars or files as high-risk.
- The 'bw serve' command can expose data if misconfigured; the doc even mentions a '--disable-origin-protection' flag that is dangerous. Avoid running a local server unless you understand the networking implications.
- Because this is instruction-only and the source/homepage are not provided, verify the bw binary you install comes from the official Bitwarden distribution (bitwarden.com) and check upstream docs and checksums yourself. Do not follow binary-download instructions from untrusted third parties.
- Prefer ephemeral session usage (unlock into BW_SESSION only in a short-lived process) and avoid storing plain-text passwords in environment variables or files unless you control the environment and accept the risk.
If you need to proceed: only enable the skill on-demand (don’t set always:true), confirm the skill’s source or prefer an official/verified skill, and audit any agent actions that would read or write your Bitwarden credentials or export vault data.
Capability Analysis
Type: OpenClaw Skill
Name: bw-cli
Version: 1.1.1
The skill is designed to allow an AI agent to interact with the Bitwarden CLI, granting it access to a user's password vault. While the instructions in SKILL.md are descriptive and appear to guide the agent in legitimate use of the `bw` CLI (e.g., retrieving passwords, generating passphrases, managing vault items), the inherent capability to access and manage highly sensitive credentials (BW_PASSWORD, API keys) and to export the entire vault (`bw export`) makes this skill high-risk. The skill instructs the agent on how to load these sensitive credentials from a `.secrets` file. This level of access, even if intended for benign purposes, is a significant capability that could be abused if the agent or its environment were compromised, thus classifying it as suspicious rather than benign.
Capability Assessment
Purpose & Capability
The SKILL.md is a thorough command/reference guide for the Bitwarden 'bw' CLI (login/unlock/sync/list/get/create/edit/export/serve/etc.). The commands, options, and workflows described align with the stated purpose of interacting with Bitwarden via the bw CLI.
Instruction Scope
The instructions explicitly reference reading and exporting secrets (e.g., BW_PASSWORD, BW_SESSION), using API key environment variables (BW_CLIENTID, BW_CLIENTSECRET), reading password files (--passwordfile), attaching files, exporting vaults to paths, and running a local REST server (bw serve) including an option that disables origin protection. Those are legitimate bw workflows, but they involve sensitive secrets and local files; the SKILL.md grants broad operational suggestions (unlock-first fallback to login, auto-export patterns) and does not constrain or warn sufficiently about risks. Importantly, the instructions access environment variables and files not declared in the skill metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing will be written or downloaded by the skill itself. That is low-risk from an installation perspective. Note: the registry metadata lists an unknown source/homepage which reduces transparency but does not change the install risk because nothing is installed.
Credentials
The skill metadata declares no required environment variables, yet the runtime instructions use sensitive variables: BW_PASSWORD, BW_SESSION, BW_CLIENTID, BW_CLIENTSECRET and suggest sourcing secrets from files. Asking for or relying on these secrets is expected for a Bitwarden CLI guide, but the metadata omission is an incoherence — the skill does not declare the sensitive environment access it instructs the agent to use. That makes it easier for a user to miss the fact the agent may read or instruct use of private credentials.
Persistence & Privilege
The skill does not request persistent presence (always: false), does not install components, and does not modify other skills or system configurations. Autonomous invocation is enabled by default but is not combined with other high-risk factors in the manifest.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install bw-cli - After installation, invoke the skill by name or use
/bw-cli - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.1
feat: unlock-first workflow for better performance. Try unlock first (fast path), fall back to login only when vault not initialized. Reduces unnecessary API calls.
v1.9.0
Added workaround for API key login issue on self-hosted Vaultwarden - use email/password login instead. Documented BW_EMAIL variable.
v1.8.0
Added API key authentication support with BW_CLIENTID and BW_CLIENTSECRET stored in .secrets file. Updated docs with https://bitwarden.com/help/personal-api-key/
v1.7.0
.secrets file is now auto-sourced via shell config (~/.bashrc or ~/.zshrc) so BW_PASSWORD is always available
v1.6.0
Restored .secrets file approach - store BW_PASSWORD in ~/.openclaw/workspace/.secrets and source it to load into environment
v1.5.0
Changed from .secrets file to BW_PASSWORD environment variable for automated unlock
v1.4.1
Added markdown docs URL reference for agents to fetch (https://bitwarden.com/help/cli.md)
v1.4.0
Restructured to agentskills.io spec. Removed scripts folder - now uses raw bw CLI commands. Added official Bitwarden docs link. Removed .secrets example file. Complete command reference including all bw CLI commands.
v1.3.0
Changed from .secrets folder to .secrets file with BW_PASSWORD=KEY format
v1.2.0
Changed from .secrets folder to .secrets file with BW_PASSWORD=KEY format
v1.1.0
Add mandatory 'bw sync' before vault access to prevent stale data
v1.0.0
Initial release: Full Bitwarden CLI skill with authentication, vault operations, password generation, and helper scripts
Metadata
Frequently Asked Questions
What is Bitwarden CLI?
Securely interact with Bitwarden password manager via the bw CLI. Covers authentication (login/unlock/logout), vault operations (list/get/create/edit/delete... It is an AI Agent Skill for Claude Code / OpenClaw, with 1484 downloads so far.
How do I install Bitwarden CLI?
Run "/install bw-cli" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Bitwarden CLI free?
Yes, Bitwarden CLI is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Bitwarden CLI support?
Bitwarden CLI is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Bitwarden CLI?
It is built and maintained by TFM (@0x7466); the current version is v1.1.1.
More Skills