Bitwarden Vault CLI

Set up and use Bitwarden CLI (bw). Use when installing the CLI, authenticating (login/unlock), or reading secrets from your vault. Supports email/password, API key, and SSO authentication methods.

Installer
$clawhub install bitwarden-vault

Bitwarden CLI Skill

The Bitwarden command-line interface (CLI) provides full access to your Bitwarden vault for retrieving passwords, secure notes, and other secrets programmatically.

Workflow Requirements

CRITICAL: Always run bw commands inside a dedicated tmux session. The CLI requires a session key (BW_SESSION) for all vault operations after authentication. A tmux session preserves this environment variable across commands.

Required Workflow

  1. Verify CLI installation: Run bw --version to confirm the CLI is available

  2. Create a dedicated tmux session: tmux new-session -d -s bw-session

  3. Attach and authenticate: Run bw login or bw unlock inside the session

  4. Export session key: After unlock, export BW_SESSION as instructed by the CLI

  5. Execute vault commands: Use bw get, bw list, etc. within the same session

Authentication Methods

Method Command Use Case
Email/Password bw login Interactive sessions, first-time setup
API Key bw login --apikey Automation, scripts (requires separate unlock)
SSO bw login --sso Enterprise/organization accounts

After bw login with email/password, your vault is automatically unlocked. For API key or SSO login, you must subsequently run bw unlock to decrypt the vault.

Session Key Management

The unlock command outputs a session key. You must export it:


# Bash/Zsh
export BW_SESSION="<session_key_from_unlock>"

# Or capture automatically
export BW_SESSION=$(bw unlock --raw)

Session keys remain valid until you run bw lock or bw logout. They do not persist across terminal windows—hence the tmux requirement.

Reading Secrets


# Get password by item name
bw get password "GitHub"

# Get username
bw get username "GitHub"

# Get TOTP code
bw get totp "GitHub"

# Get full item as JSON
bw get item "GitHub"

# Get specific field
bw get item "GitHub" | jq -r '.fields[] | select(.name=="api_key") | .value'

# List all items
bw list items

# Search items
bw list items --search "github"

Security Guardrails

  • NEVER expose secrets in logs, code, or command output visible to users

  • NEVER write secrets to disk unless absolutely necessary

  • ALWAYS use bw lock when finished with vault operations

  • PREFER reading secrets directly into environment variables or piping to commands

  • If you receive "Vault is locked" errors, re-authenticate with bw unlock

  • If you receive "You are not logged in" errors, run bw login first

  • Stop and request assistance if tmux is unavailable on the system

Environment Variables

Variable Purpose
BW_SESSION Session key for vault decryption (required for all vault commands)
BW_CLIENTID API key client ID (for --apikey login)
BW_CLIENTSECRET API key client secret (for --apikey login)
BITWARDENCLI_APPDATA_DIR Custom config directory (enables multi-account setups)

Self-Hosted Servers

For Vaultwarden or self-hosted Bitwarden:

bw config server https://your-bitwarden-server.com

Reference Documentation

  • Get Started Guide - Installation and initial setup

  • CLI Examples - Common usage patterns and advanced operations

Détails

Version
v1.0.0
Téléchargements
2,029
Étoiles
3
ClawHub
Voir sur ClawHub

Skills populaires

Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when (1) a command, tool, API, or operation fails; (2) the user corrects you or rejects your work; (3) you realize your knowledge is outdated or incorrect; (4) you discover a better approach; (5) the user explicitly installs or references the skill for the current task.
OpenClaw YouTube Transcript
Transcribe YouTube videos to text by extracting captions and subtitles directly from the video URL using yt-dlp without audio processing.
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.