Skip to content

drewburchfield/openclaw-1password

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.claude-plugin
.claude-plugin
 
 
skills/1password-openclaw
skills/1password-openclaw
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

openclaw-1password

Move every secret out of openclaw.json and into 1Password. Resolved at runtime, never on disk.

License


What it does

Replaces plaintext secrets in openclaw.json with SecretRef exec provider objects that call op directly to read from 1Password at runtime. Each secret gets its own provider entry. No custom resolver script needed.

Before After
"token": "xoxb-real-token" "token": { "source": "exec", "provider": "discord-token", "id": "discord-token" }
Plaintext secrets on disk Secrets in 1Password, resolved at runtime
openclaw update bakes secrets into JSON SecretRef objects survive config rewrites
LaunchAgent breaks after every update One repair command fixes it
Custom resolver script to maintain Direct op read calls, zero custom scripts

. . .

How to use this

This repo is a knowledge base and script toolkit. It works with any AI coding assistant that can read files from a directory, and it also ships as a Claude Code plugin for one-command installation.

Option A: Any agentic CLI

Clone or download this repo, then point your tool at the skills/1password-openclaw/ directory.

git clone https://github.com/drewburchfield/openclaw-1password.git

The directory structure is self-contained:

skills/1password-openclaw/
├── SKILL.md                  # Main guide (start here)
├── references/
│   ├── architecture.md       # Direct-op design, TCC prevention, cross-platform
│   ├── troubleshooting.md    # Every known failure mode
│   ├── tutorial.md           # Step-by-step manual setup
│   └── version-adaptation.md # Handling newer OpenClaw versions
├── scripts/
│   ├── openclaw-1p-setup.sh  # Setup/repair/verify automation
│   └── op-resolver-template.sh  # DEPRECATED (kept for reference)
└── examples/
    └── openclaw-secretref-config.json

Tell your assistant to read skills/1password-openclaw/SKILL.md and it will have full context on setup, diagnosis, repair, and version adaptation.

Cursor, Windsurf, Codex, etc.: Add the skills/1password-openclaw/ path to your project context or rules file. The skill and references are plain Markdown; any tool that reads files can use them.

Option B: Claude Code plugin

claude plugins install openclaw-1password@not-my-job

This registers the skill automatically. Ask Claude Code to "set up 1Password with OpenClaw" and it picks up the full guide.


. . .

Setup script

The included shell script handles the full lifecycle:

Command What it does
openclaw-1p-setup.sh setup Guided onboarding: vault, service account, .env file, per-secret providers, plist repair
openclaw-1p-setup.sh repair Fix LaunchAgent after openclaw update or openclaw gateway install
openclaw-1p-setup.sh verify Health check across token, providers, config, plist env vars, and gateway

You can run the script directly or let your AI assistant run it for you.


Requirements

  • OpenClaw 2026.3.2+ (works with newer versions)
  • 1Password CLI (op)
  • A paid 1Password account (service accounts require Teams, Business, or Enterprise)
  • jq (used by the setup script)

License

MIT

About

Secure OpenClaw with 1Password service accounts using SecretRef exec providers

Topics

security 1password secrets-management launchagent service-accounts credential-management ai-coding-tools claude-code-plugin openclaw secretref

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 1

Languages