Add support for Bitwarden password manager CLI (bw) with: - Email/password, API key, and SSO authentication - tmux session workflow for secure session key management - Comprehensive reference documentation - Support for self-hosted Bitwarden/Vaultwarden servers - Multiple installation methods (npm, brew, choco) Tested end-to-end on ClawdBot VM: - Skill loads as clawdbot-managed with correct metadata - bw CLI installs and authenticates successfully - Vault operations (list, get username/password) work as documented - Session key management via BW_SESSION verified Mirrors the existing 1password skill pattern for consistency. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
4.8 KiB
4.8 KiB
Bitwarden CLI Examples
Prerequisites
All commands assume you are:
- Inside a tmux session:
tmux attach -t bitwardenortmux new -s bitwarden - Logged in:
bw login - Unlocked with session exported:
export BW_SESSION=$(bw unlock --raw)
Reading Credentials
Get Password by Name
# Simple lookup (requires unique name)
bw get password "GitHub"
# If multiple items match, use item ID
bw get password 12345678-1234-1234-1234-123456789012
Get Username
bw get username "GitHub"
Get TOTP Code
# Returns current 6-digit code
bw get totp "GitHub"
Get Full Item (JSON)
bw get item "GitHub"
# Pretty print
bw get item "GitHub" | jq .
# Extract specific login fields
bw get item "GitHub" | jq -r '.login.username'
bw get item "GitHub" | jq -r '.login.password'
bw get item "GitHub" | jq -r '.login.totp'
Get Custom Fields
# List all custom fields
bw get item "AWS Credentials" | jq '.fields'
# Get specific custom field by name
bw get item "AWS Credentials" | jq -r '.fields[] | select(.name=="access_key") | .value'
# Get hidden field
bw get item "AWS Credentials" | jq -r '.fields[] | select(.name=="secret_key") | .value'
Get Secure Notes
# Get note content
bw get notes "My Secure Note"
# Full item with metadata
bw get item "My Secure Note" | jq -r '.notes'
Listing and Searching
List All Items
# All items
bw list items
# Count items
bw list items | jq 'length'
# Item names only
bw list items | jq -r '.[].name'
Search Items
# Search by name (case-insensitive)
bw list items --search "github"
# Search in specific folder
bw list items --folderid 12345678-1234-1234-1234-123456789012 --search "api"
# Items without folder
bw list items --folderid null
List Folders
bw list folders
bw list folders | jq -r '.[].name'
List Organizations
bw list organizations
List Collections
bw list collections
bw list org-collections --organizationid <org-id>
Environment Variable Injection
Export to Environment
# Single credential
export GITHUB_TOKEN=$(bw get password "GitHub Token")
# Multiple credentials
export AWS_ACCESS_KEY_ID=$(bw get item "AWS" | jq -r '.fields[] | select(.name=="access_key") | .value')
export AWS_SECRET_ACCESS_KEY=$(bw get item "AWS" | jq -r '.fields[] | select(.name=="secret_key") | .value')
Run Command with Injected Secrets
# Using shell substitution
DATABASE_URL="postgres://user:$(bw get password 'DB Prod')@host/db" ./my-app
# Using environment export
export DATABASE_PASSWORD=$(bw get password "DB Prod")
./my-app
Vault Synchronization
Sync from Server
# Full sync
bw sync
# Force sync (ignore cache)
bw sync --force
Check Sync Status
bw status | jq '.lastSync'
Account Management
Check Current Session
# Full status
bw status
# Just logged-in state
bw status | jq -r '.status'
# Current user
bw status | jq -r '.userEmail'
Lock Vault
# Lock (keeps session, requires unlock)
bw lock
Logout
# Full logout (clears all session data)
bw logout
Working with Attachments
Download Attachment
# List attachments on an item
bw get item "SSL Certificate" | jq '.attachments'
# Download by attachment ID
bw get attachment <attachment-id> --itemid <item-id> --output ./cert.pem
Advanced: Creating and Editing Items
Get Templates
# Login item template
bw get template item
# Folder template
bw get template folder
Create New Item
# Create from template
bw get template item | jq '.name="New Item" | .login.username="user" | .login.password="pass"' | bw encode | bw create item
Edit Existing Item
# Get item, modify, update
bw get item <item-id> | jq '.login.password="newpassword"' | bw encode | bw edit item <item-id>
Error Handling Patterns
Check Authentication Before Operations
# Verify unlocked state
if [ "$(bw status | jq -r '.status')" != "unlocked" ]; then
echo "Vault is locked. Run: export BW_SESSION=\$(bw unlock --raw)"
exit 1
fi
Handle Missing Items
# Check if item exists
if ! bw get item "GitHub" >/dev/null 2>&1; then
echo "Item 'GitHub' not found in vault"
exit 1
fi
Multi-Account Setup
Use Different Config Directories
# Personal account
export BITWARDENCLI_APPDATA_DIR=~/.bitwarden-personal
bw login personal@example.com
# Work account (different terminal)
export BITWARDENCLI_APPDATA_DIR=~/.bitwarden-work
bw login work@company.com
Self-Hosted / Vaultwarden
Configure Custom Server
# Set server URL
bw config server https://vault.example.com
# Verify configuration
bw config server
# Reset to default Bitwarden cloud
bw config server https://vault.bitwarden.com