1Password UI Extension
Adds a 1Password tab to the OpenClaw Control dashboard under the Tools group. Browse vaults, manage credential mappings for skills, and handle authentication — all from the web UI.
Features
| Feature | Description |
|---|---|
| Dashboard Tab | "1Password" under Tools in sidebar |
| Connection Status | See signed-in account, CLI/Connect mode |
| Sign In Flow | Authenticate directly from the UI |
| Docker Support | Works with 1Password Connect for containers |
| Credential Mappings | Map 1Password items to skill configs |
Agent Installation Prompt
To install this skill, give your agent this prompt:
Install the 1password-ui skill from ClawHub.
The skill is at: ~/clawd/skills/1password-ui/
Follow INSTALL_INSTRUCTIONS.md step by step.
Summary of changes needed:
1. Copy 1password-backend.ts to src/gateway/server-methods/1password.ts
2. Register handlers in server-methods.ts
3. Add "1password" tab to navigation.ts (TAB_GROUPS, Tab type, TAB_PATHS, icon, title, subtitle)
4. Add state variables to app.ts
5. Copy 1password-views.ts to ui/src/ui/views/1password.ts
6. Add view rendering to app-render.ts
7. Add tab loading to app-settings.ts
8. Build and restart: pnpm build && pnpm ui:build && clawdbot gateway restart
Prerequisites
For Local Installations (Ubuntu/Windows/macOS)
-
1Password CLI (
op):# macOS/Linux brew install 1password-cli # Or from https://1password.com/downloads/command-line/ -
CLI Integration enabled in 1Password app:
- Settings → Developer → "Integrate with 1Password CLI" ✓
For Docker Installations
See Docker Setup below.
Usage
Sign In
- Open OpenClaw Dashboard → Tools → 1Password
- Click Sign In with 1Password
- Authorize in the 1Password app popup (or run
op signinin terminal) - Status shows "Connected" with your account
Credential Mappings
Once signed in, you can map 1Password items to skills:
- Skills like Pipedream can read credentials from 1Password
- Mappings are stored in
~/clawd/config/1password-mappings.json - Format:
{ "skillId": { "item": "Item Name", "vault": "Private", "fields": {...} } }
Example: Pipedream with 1Password
# Store Pipedream credentials in 1Password
op item create --category="API Credential" --title="Pipedream Connect" \
--vault="Private" \
"client_id[text]=your_client_id" \
"client_secret[password]=your_client_secret" \
"project_id[text]=proj_xxxxx"
# Use in token refresh
PIPEDREAM_1PASSWORD_ITEM="Pipedream Connect" python3 ~/clawd/scripts/pipedream-token-refresh.py
Gateway RPC Methods
| Method | Description |
|---|---|
1password.status | Get CLI/Connect status, signed-in account |
1password.signin | Trigger sign-in flow |
1password.signout | Sign out of current session |
1password.vaults | List available vaults |
1password.items | List items in a vault |
1password.getItem | Get item field structure (not values) |
1password.readSecret | Read a secret (backend only) |
1password.mappings.list | Get skill → 1Password mappings |
1password.mappings.set | Create/update a mapping |
1password.mappings.delete | Remove a mapping |
1password.mappings.test | Test if a mapping works |
Docker Setup (1Password Connect)
For Docker-based OpenClaw installations, use 1Password Connect instead of the CLI.
Step 1: Deploy 1Password Connect
# docker-compose.yml
services:
op-connect-api:
image: 1password/connect-api:latest
ports:
- "8080:8080"
volumes:
- ./1password-credentials.json:/home/opuser/.op/1password-credentials.json:ro
- op-data:/home/opuser/.op/data
op-connect-sync:
image: 1password/connect-sync:latest
volumes:
- ./1password-credentials.json:/home/opuser/.op/1password-credentials.json:ro
- op-data:/home/opuser/.op/data
volumes:
op-data:
Step 2: Get Credentials
- Go to my.1password.com → Integrations → Secrets Automation
- Create a Connect server
- Download
1password-credentials.json - Create an access token
Step 3: Configure OpenClaw
services:
clawdbot:
environment:
- OP_CONNECT_HOST=http://op-connect-api:8080
- OP_CONNECT_TOKEN=your-access-token
The UI automatically detects Connect mode.
Files Included
1password-ui/
├── SKILL.md # This file
├── INSTALL_INSTRUCTIONS.md # Step-by-step installation
├── CHANGELOG.md # Version history
├── package.json # Skill metadata
├── reference/
│ ├── 1password-backend.ts # Gateway RPC handlers
│ ├── 1password-views.ts # UI view (Lit template)
│ ├── 1password-settings.ts # Tab loading logic
│ └── 1password-plugin.ts # Plugin registration (optional)
└── scripts/
└── op-helper.py # CLI/Connect bridge for skills
Security Considerations
✅ Safe by Design
| Aspect | Implementation |
|---|---|
| Secrets not in UI | getItem and items return field names only, never values |
| No network installers | No curl | sh or remote scripts — all code is local |
| Manual installation | Requires explicit code edits, no automated patching |
| Mapping file perms | 1password-mappings.json should be 0600 (contains references, not secrets) |
| CLI auth | Uses 1Password app integration for biometric auth when available |
⚠️ Documented Risks
| Risk | Mitigation |
|---|---|
readSecret RPC available | The 1password.readSecret method IS exposed via gateway RPC. This is intentional — skills need to read secrets. Security relies on: (1) 1Password requiring user auth, (2) gateway access control (loopback-only by default). |
| Gateway exposure | All 1password.* methods are RPC calls. If you expose your gateway to the network, protect it with authentication. |
| Connect token | In Docker mode, OP_CONNECT_TOKEN grants vault access. Keep it secure like any API key. |
File Security
# Recommended permissions for mapping file
chmod 600 ~/clawd/config/1password-mappings.json
Troubleshooting
"1Password CLI Not Found"
brew install 1password-cli
# or download from 1password.com/downloads/command-line/
"Not signed in"
op signin
op whoami # verify
Sign-in fails / "authorization denied"
- Unlock the 1Password app
- Enable CLI integration: Settings → Developer → "Integrate with 1Password CLI"
Docker: "connection refused"
docker ps | grep op-connect # check containers running
Docker: "401 unauthorized"
- Verify
OP_CONNECT_TOKENis set correctly - Check token hasn't expired
Support
- ClawHub: clawhub.ai/skills/1password-ui
- 1Password CLI: developer.1password.com/docs/cli
- 1Password Connect: developer.1password.com/docs/connect
- OpenClaw Discord: discord.com/invite/clawd
Changelog
v1.1.0 (2025-02-11)
- Full working implementation with dashboard UI
- Sign-in flow from web interface
- CLI and Connect mode support
- Credential mapping system
v1.0.0 (2025-02-11)
- Initial release with reference implementations