请参见下方翻译(由于原始内容较长,仅提供关键部分翻译,完整内容请参考原始技能文档)
Bitwarden/Vaultwarden CLI (bw) wrapper with automatic login, session caching, and convenient commands. Works seamlessly with both official Bitwarden (vault.bitwarden.com) and self-hosted Vaultwarden instances.
Requirements
- Bitwarden CLI (
bw) installed: npm install -g @bitwarden/cli
- A Bitwarden or Vaultwarden server instance
- Credentials configured (see Configuration below)
Configuration
Set credentials via environment variables or a credentials file:
# Environment variables (preferred)
export BW_SERVER="https://vault.bitwarden.com" # Official Bitwarden
# OR
export BW_SERVER="https://your-vaultwarden-instance.example.com" # Vaultwarden
export BW_EMAIL="your-email@example.com"
export BW_MASTER_PASSWORD="your-master-password"# Or use a credentials file (default: secrets/bitwarden.env)
export CREDS_FILE="/path/to/your/bitwarden.env"
The credentials file should contain:
BW_SERVER=https://vault.bitwarden.com
BW_EMAIL=your-email@example.com
BW_MASTER_PASSWORD=your-master-password
Invocation
bash skills/bitwarden/bw.sh [args...]
Commands
| Command | Description | Example |
|---|
register [email] [pass] [name] | Register new account | bw.sh register user@example.com pass123 "My Name" |
login | Login & unlock vault | bw.sh login |
status | Show vault status | bw.sh status |
list [search] | List/search items | bw.sh list github |
get | id> | Get full item JSON | bw.sh get "GitHub" | |
get-password | id> | Get password only | bw.sh get-password "GitHub" | |
get-username | id> | Get username only | bw.sh get-username "GitHub" | |
create [uri] [notes] | Create login | bw.sh create "GitHub" user pass https://github.com |
generate [length] | Generate password | bw.sh generate 32 |
delete | Delete item | bw.sh delete |
lock | Lock vault | bw.sh lock |
Workflow
- First call per session:
bw.sh login (auto-authenticates from configured credentials)
- Session token cached at
/tmp/.bw_session
- All subsequent commands auto-use the cached session
- After reboot/restart: run
login again
Storing New Credentials
# Generate + store
PASS=$(bash skills/bitwarden/bw.sh generate 32)
bash skills/bitwarden/bw.sh create "New Service" "user@email.com" "$PASS" "https://service.com"
Account Registration
Register a new account on your Bitwarden/Vaultwarden server directly from the CLI:
# Register using configured credentials (from env/credentials file)
bash skills/bitwarden/bw.sh register# Register with explicit credentials
bash skills/bitwarden/bw.sh register "user@example.com" "SecurePass123!" "Display Name"
How it works:
- Derives a master key using PBKDF2-SHA256 (600,000 iterations) with the email as salt
- Creates a master password hash for server authentication
- Generates a 64-byte symmetric key, encrypted with AES-256-CBC + HMAC-SHA256
- Submits registration to the server's
/api/accounts/register endpoint
Requirements: OpenSSL 3.x+ (for PBKDF2 and HKDF support), curl, xxd.
Note: The master password must be at least 12 characters. Works with both official Bitwarden and Vaultwarden servers.
Guardrails
- Never paste secrets into logs, chat, or code.
- Keep
bitwarden.env out of version control.
- Use
chmod 600 on credential files.
- Session tokens are stored in
/tmp and cleared on lock/logout.
External Endpoints
| Endpoint | Purpose | Data Sent |
|---|
| User-configured BW_SERVER | Bitwarden/Vaultwarden API | Encrypted vault data, authentication credentials |
Note: The skill communicates with the Bitwarden server you configure via
BW_SERVER. For official Bitwarden, this is
https://vault.bitwarden.com. For Vaultwarden, this is your self-hosted instance URL.
Security & Privacy
What leaves your machine:
- Authentication requests (email, master password) to your configured Bitwarden server
- Encrypted vault data (create/read/update/delete operations)
- All communication uses HTTPS/TLS
What stays local:
- Session tokens (cached in
/tmp/.bw_session)
- Credential files (if using
bitwarden.env)
- Decrypted passwords (only in memory, never written to disk)
Trust statement:
By using this skill, you are sending authentication credentials and vault data to the Bitwarden server you configure. Only install this skill if you trust your Bitwarden/Vaultwarden instance.
Model Invocation
This skill can be invoked autonomously by your OpenClaw agent when it needs to:
- Store credentials securely
- Retrieve passwords for automation tasks
- Generate secure passwords
If you prefer manual approval before password operations, configure your OpenClaw agent's tool policy accordingly.
Security Best Practices
- Credentials file: Use
chmod 600 on secrets/bitwarden.env
- Environment isolation: Don't share credential files across systems
- Session tokens: Automatically expire; run
bw.sh lock when done
- Git: The
.gitignore excludes all secrets (secrets/, *.env, .bw_session)
- Master password: Never hardcode or log your master password
by