openclaw/skills/bitwarden/references/cli-examples.md
Will Mitchell 8501adfb9b feat(skills): add Bitwarden CLI skill
Add support for Bitwarden password manager CLI (bw) with:
- Email/password, API key, and SSO authentication
- tmux session workflow for secure session key management
- Comprehensive reference documentation
- Support for self-hosted Bitwarden/Vaultwarden servers
- Multiple installation methods (npm, brew, choco)

Tested end-to-end on ClawdBot VM:
- Skill loads as clawdbot-managed with correct metadata
- bw CLI installs and authenticates successfully
- Vault operations (list, get username/password) work as documented
- Session key management via BW_SESSION verified

Mirrors the existing 1password skill pattern for consistency.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-26 20:26:55 -05:00

4.8 KiB

Bitwarden CLI Examples

Prerequisites

All commands assume you are:

  1. Inside a tmux session: tmux attach -t bitwarden or tmux new -s bitwarden
  2. Logged in: bw login
  3. Unlocked with session exported: export BW_SESSION=$(bw unlock --raw)

Reading Credentials

Get Password by Name

# Simple lookup (requires unique name)
bw get password "GitHub"

# If multiple items match, use item ID
bw get password 12345678-1234-1234-1234-123456789012

Get Username

bw get username "GitHub"

Get TOTP Code

# Returns current 6-digit code
bw get totp "GitHub"

Get Full Item (JSON)

bw get item "GitHub"

# Pretty print
bw get item "GitHub" | jq .

# Extract specific login fields
bw get item "GitHub" | jq -r '.login.username'
bw get item "GitHub" | jq -r '.login.password'
bw get item "GitHub" | jq -r '.login.totp'

Get Custom Fields

# List all custom fields
bw get item "AWS Credentials" | jq '.fields'

# Get specific custom field by name
bw get item "AWS Credentials" | jq -r '.fields[] | select(.name=="access_key") | .value'

# Get hidden field
bw get item "AWS Credentials" | jq -r '.fields[] | select(.name=="secret_key") | .value'

Get Secure Notes

# Get note content
bw get notes "My Secure Note"

# Full item with metadata
bw get item "My Secure Note" | jq -r '.notes'

Listing and Searching

List All Items

# All items
bw list items

# Count items
bw list items | jq 'length'

# Item names only
bw list items | jq -r '.[].name'

Search Items

# Search by name (case-insensitive)
bw list items --search "github"

# Search in specific folder
bw list items --folderid 12345678-1234-1234-1234-123456789012 --search "api"

# Items without folder
bw list items --folderid null

List Folders

bw list folders
bw list folders | jq -r '.[].name'

List Organizations

bw list organizations

List Collections

bw list collections
bw list org-collections --organizationid <org-id>

Environment Variable Injection

Export to Environment

# Single credential
export GITHUB_TOKEN=$(bw get password "GitHub Token")

# Multiple credentials
export AWS_ACCESS_KEY_ID=$(bw get item "AWS" | jq -r '.fields[] | select(.name=="access_key") | .value')
export AWS_SECRET_ACCESS_KEY=$(bw get item "AWS" | jq -r '.fields[] | select(.name=="secret_key") | .value')

Run Command with Injected Secrets

# Using shell substitution
DATABASE_URL="postgres://user:$(bw get password 'DB Prod')@host/db" ./my-app

# Using environment export
export DATABASE_PASSWORD=$(bw get password "DB Prod")
./my-app

Vault Synchronization

Sync from Server

# Full sync
bw sync

# Force sync (ignore cache)
bw sync --force

Check Sync Status

bw status | jq '.lastSync'

Account Management

Check Current Session

# Full status
bw status

# Just logged-in state
bw status | jq -r '.status'

# Current user
bw status | jq -r '.userEmail'

Lock Vault

# Lock (keeps session, requires unlock)
bw lock

Logout

# Full logout (clears all session data)
bw logout

Working with Attachments

Download Attachment

# List attachments on an item
bw get item "SSL Certificate" | jq '.attachments'

# Download by attachment ID
bw get attachment <attachment-id> --itemid <item-id> --output ./cert.pem

Advanced: Creating and Editing Items

Get Templates

# Login item template
bw get template item

# Folder template
bw get template folder

Create New Item

# Create from template
bw get template item | jq '.name="New Item" | .login.username="user" | .login.password="pass"' | bw encode | bw create item

Edit Existing Item

# Get item, modify, update
bw get item <item-id> | jq '.login.password="newpassword"' | bw encode | bw edit item <item-id>

Error Handling Patterns

Check Authentication Before Operations

# Verify unlocked state
if [ "$(bw status | jq -r '.status')" != "unlocked" ]; then
    echo "Vault is locked. Run: export BW_SESSION=\$(bw unlock --raw)"
    exit 1
fi

Handle Missing Items

# Check if item exists
if ! bw get item "GitHub" >/dev/null 2>&1; then
    echo "Item 'GitHub' not found in vault"
    exit 1
fi

Multi-Account Setup

Use Different Config Directories

# Personal account
export BITWARDENCLI_APPDATA_DIR=~/.bitwarden-personal
bw login personal@example.com

# Work account (different terminal)
export BITWARDENCLI_APPDATA_DIR=~/.bitwarden-work
bw login work@company.com

Self-Hosted / Vaultwarden

Configure Custom Server

# Set server URL
bw config server https://vault.example.com

# Verify configuration
bw config server

# Reset to default Bitwarden cloud
bw config server https://vault.bitwarden.com