Add support for Bitwarden password manager CLI (bw) with: - Email/password, API key, and SSO authentication - tmux session workflow for secure session key management - Comprehensive reference documentation - Support for self-hosted Bitwarden/Vaultwarden servers - Multiple installation methods (npm, brew, choco) Tested end-to-end on ClawdBot VM: - Skill loads as clawdbot-managed with correct metadata - bw CLI installs and authenticates successfully - Vault operations (list, get username/password) work as documented - Session key management via BW_SESSION verified Mirrors the existing 1password skill pattern for consistency. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
104 lines
3.9 KiB
Markdown
104 lines
3.9 KiB
Markdown
---
|
|
name: bitwarden
|
|
description: Set up and use Bitwarden CLI (bw). Use when installing the CLI, authenticating (login/unlock), or reading secrets from your vault. Supports email/password, API key, and SSO authentication methods.
|
|
homepage: https://bitwarden.com/help/cli/
|
|
metadata: {"clawdbot":{"emoji":"🔒","requires":{"bins":["bw"]},"install":[{"id":"npm","kind":"npm","package":"@bitwarden/cli","bins":["bw"],"label":"Install Bitwarden CLI (npm)"},{"id":"brew","kind":"brew","formula":"bitwarden-cli","bins":["bw"],"label":"Install Bitwarden CLI (brew)"},{"id":"choco","kind":"choco","package":"bitwarden-cli","bins":["bw"],"label":"Install Bitwarden CLI (choco)"}]}}
|
|
---
|
|
|
|
# Bitwarden CLI Skill
|
|
|
|
The Bitwarden command-line interface (CLI) provides full access to your Bitwarden vault for retrieving passwords, secure notes, and other secrets programmatically.
|
|
|
|
## Workflow Requirements
|
|
|
|
**CRITICAL:** Always run `bw` commands inside a dedicated tmux session. The CLI requires a session key (`BW_SESSION`) for all vault operations after authentication. A tmux session preserves this environment variable across commands.
|
|
|
|
### Required Workflow
|
|
|
|
1. **Verify CLI installation**: Run `bw --version` to confirm the CLI is available
|
|
2. **Create a dedicated tmux session**: `tmux new-session -d -s bw-session`
|
|
3. **Attach and authenticate**: Run `bw login` or `bw unlock` inside the session
|
|
4. **Export session key**: After unlock, export `BW_SESSION` as instructed by the CLI
|
|
5. **Execute vault commands**: Use `bw get`, `bw list`, etc. within the same session
|
|
|
|
### Authentication Methods
|
|
|
|
| Method | Command | Use Case |
|
|
|--------|---------|----------|
|
|
| Email/Password | `bw login` | Interactive sessions, first-time setup |
|
|
| API Key | `bw login --apikey` | Automation, scripts (requires separate unlock) |
|
|
| SSO | `bw login --sso` | Enterprise/organization accounts |
|
|
|
|
After `bw login` with email/password, your vault is automatically unlocked. For API key or SSO login, you must subsequently run `bw unlock` to decrypt the vault.
|
|
|
|
### Session Key Management
|
|
|
|
The unlock command outputs a session key. You **must** export it:
|
|
|
|
```bash
|
|
# Bash/Zsh
|
|
export BW_SESSION="<session_key_from_unlock>"
|
|
|
|
# Or capture automatically
|
|
export BW_SESSION=$(bw unlock --raw)
|
|
```
|
|
|
|
Session keys remain valid until you run `bw lock` or `bw logout`. They do **not** persist across terminal windows—hence the tmux requirement.
|
|
|
|
## Reading Secrets
|
|
|
|
```bash
|
|
# Get password by item name
|
|
bw get password "GitHub"
|
|
|
|
# Get username
|
|
bw get username "GitHub"
|
|
|
|
# Get TOTP code
|
|
bw get totp "GitHub"
|
|
|
|
# Get full item as JSON
|
|
bw get item "GitHub"
|
|
|
|
# Get specific field
|
|
bw get item "GitHub" | jq -r '.fields[] | select(.name=="api_key") | .value'
|
|
|
|
# List all items
|
|
bw list items
|
|
|
|
# Search items
|
|
bw list items --search "github"
|
|
```
|
|
|
|
## Security Guardrails
|
|
|
|
- **NEVER** expose secrets in logs, code, or command output visible to users
|
|
- **NEVER** write secrets to disk unless absolutely necessary
|
|
- **ALWAYS** use `bw lock` when finished with vault operations
|
|
- **PREFER** reading secrets directly into environment variables or piping to commands
|
|
- If you receive "Vault is locked" errors, re-authenticate with `bw unlock`
|
|
- If you receive "You are not logged in" errors, run `bw login` first
|
|
- Stop and request assistance if tmux is unavailable on the system
|
|
|
|
## Environment Variables
|
|
|
|
| Variable | Purpose |
|
|
|----------|---------|
|
|
| `BW_SESSION` | Session key for vault decryption (required for all vault commands) |
|
|
| `BW_CLIENTID` | API key client ID (for `--apikey` login) |
|
|
| `BW_CLIENTSECRET` | API key client secret (for `--apikey` login) |
|
|
| `BITWARDENCLI_APPDATA_DIR` | Custom config directory (enables multi-account setups) |
|
|
|
|
## Self-Hosted Servers
|
|
|
|
For Vaultwarden or self-hosted Bitwarden:
|
|
|
|
```bash
|
|
bw config server https://your-bitwarden-server.com
|
|
```
|
|
|
|
## Reference Documentation
|
|
|
|
- [Get Started Guide](references/get-started.md) - Installation and initial setup
|
|
- [CLI Examples](references/cli-examples.md) - Common usage patterns and advanced operations
|