bitwarden-secrets

Manage machine credentials in Bitwarden Secrets Manager with bws CLI. Use when user mentions Bitwarden Secrets Manager, bws, machine accounts, BWS_ACCESS_TOKEN, migrating .env keys, secret rotation, project scoping, credential bootstrap, or secure secret storage for OpenClaw/GasTown/CI. Handles project setup, create/update/list/delete secrets, env migration, and secure runtime patterns without exposing secret values.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "bitwarden-secrets" with this command: npx skills add leto-labs/openclaw-bootstrap-config/leto-labs-openclaw-bootstrap-config-bitwarden-secrets

Bitwarden Secrets

Manage credentials in Bitwarden Secrets Manager using bws.

What this skill does

  1. Set up and verify Bitwarden Secrets Manager access (bws, BWS_ACCESS_TOKEN)
  2. Create/update/list/delete secrets safely
  3. Sync secrets between Bitwarden projects and .env files in either direction
  4. Guide runtime usage (bws run vs on-demand fetch)
  5. Enforce secret-safety guardrails

Safety requirements (non-negotiable)

  • Never print secret values in chat responses.
  • Never commit secrets to git.
  • Report only key names and operation results (created/updated/deleted).
  • Treat management/super tokens as restricted credentials.

See references/security.md for full guardrails.

Quick workflow

1) Verify prerequisites

  • bws installed
  • jq available
  • BWS_ACCESS_TOKEN set

If not, install and configure before proceeding.

2) Sync local env file to Bitwarden project

Run:

scripts/bws_env_sync.sh env-to-bws --project <project-name> --env-file <path-to-env> --create-project

3) Sync Bitwarden project back into env file

Run:

scripts/bws_env_sync.sh bws-to-env --project <project-name> --env-file <path-to-env> --create-env

4) Optional key filtering

scripts/bws_env_sync.sh env-to-bws --project <project-name> --env-file <path-to-env> --keys KEY_A,KEY_B
scripts/bws_env_sync.sh bws-to-env --project <project-name> --env-file <path-to-env> --keys KEY_A,KEY_B

5) Verify without exposing values

Use bws secret list <project-id> -o table and report only key names.

Runtime patterns

Pattern A: wrapper injection

bws run -- <command>

Pattern B: on-demand fetch (preferred for least privilege)

  • Keep only BWS_ACCESS_TOKEN in runtime env
  • Fetch specific secret when needed via bws secret get

Use Pattern B for worker pools that should not see all secrets.

References

  • references/operations.md — command patterns for project + .env sync
  • references/security.md — guardrails, rotation, incident response
  • scripts/bws_env_sync.sh — generic .env <-> Bitwarden sync helper

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

desktop-bridge

No summary provided by upstream source.

Repository SourceNeeds Review
-3
leto-labs
General

repocache

No summary provided by upstream source.

Repository SourceNeeds Review
-3
leto-labs
General

gog-onboard

No summary provided by upstream source.

Repository SourceNeeds Review
-3
leto-labs