Set up and use Bitwarden CLI (bw). Use when installing the CLI, authenticating (login/unlock), or reading secrets from your vault. Supports email/password, API key, and SSO authentication methods.
Security Analysis
high confidenceThe skill is internally consistent with its stated purpose: it documents and requires the Bitwarden CLI (bw), offers standard install methods, and the instructions reflect normal vault operations — no unexplained credentials or downloads were requested — but follow standard secret-handling precautions (session keys, environment exports).
Name, description, required binary (bw), and install spec (homebrew/npm/choco/snap/native) all match the stated goal of providing Bitwarden CLI usage. There are no unrelated binaries, credentials, or config paths requested that don't belong to a password-manager CLI skill.
SKILL.md contains explicit runtime instructions to create a tmux session, run bw login/unlock, export BW_SESSION, and use bw get/list commands to read secrets. Those steps are coherent for a CLI-first Bitwarden workflow. The instructions also encourage piping secrets into environment variables and other commands — this is expected for automation but increases risk of accidental exposure. The file references environment variables (BW_SESSION, BW_CLIENTID, BW_CLIENTSECRET, BITWARDENCLI_APPDATA_DIR) even though the registry 'requires.env' is empty; this is normal (they are standard Bitwarden variables) but worth noting.
Install options are standard package sources (Homebrew formula, npm package @bitwarden/cli, Chocolatey, snap, and direct binaries). No arbitrary or shortened URLs or extracted archives from unknown hosts are used in the provided install metadata. npm/global installs carry the usual supply-chain caveats but are expected for this tool.
The skill does not request platform credentials or secrets itself (requires.env is empty), but the runtime instructions require and show how to export sensitive values (BW_SESSION, BW_CLIENTID, BW_CLIENTSECRET) and how to pull vault secrets into process environment variables (e.g., exporting AWS keys). That behavior is intrinsic to a secrets-management skill but is sensitive: exporting session tokens or secrets into shell environment increases the attack surface (other processes, logs, shell history).
Skill does not request always:true and does not attempt to modify other skills or system-wide agent settings. It's instruction-only and has no persistent installation behavior beyond installing the expected bw binary via normal package managers.
Guidance
This skill appears to do what it says (help you install and use the Bitwarden CLI). Before installing or using it: 1) Verify the bw binary you install is the official Bitwarden client (use Homebrew, the official npm package @bitwarden/cli, Chocolatey, snap, or official downloads) and check signatures/URLs where possible. 2) Be cautious exporting BW_SESSION or vault secrets into long-lived shells or files — any process that shares the session or the environment can read those values. Prefer transient, short-lived sessions and run bw commands in isolated shells or ephemeral processes; run bw lock or bw logout when finished. 3) Avoid writing secrets to disk or logs; if automation requires secrets as env vars, scope their lifetime and revoke or re-lock afterward. 4) When using npm/global installs, ensure your node environment and package sources are trusted. 5) If you will allow an autonomous agent to use this skill, explicitly decide whether you want the agent to access your vault and consider limiting its access (create limited API keys or separate vault items).
Latest Release
v1.0.0
Initial release: Bitwarden password manager CLI skill with email/password, API key, and SSO auth. Supports self-hosted Vaultwarden. tmux workflow for session management. Full reference docs included.
More by @StartupBros
Published by @StartupBros on ClawHub
