Source Code
Bitwarden CLI
Manage passwords and secrets via the Bitwarden CLI.
References
references/get-started.md(install + login + unlock flow)references/cli-examples.md(realbwexamples)
Workflow
- Check CLI present:
bw --version. - Check login status:
bw status(returns JSON with status field). - If not logged in:
bw login(stores API key, prompts for master password). - REQUIRED: create a fresh tmux session for all
bwcommands. - Unlock vault inside tmux:
bw unlock(outputs session key). - Export session key:
export BW_SESSION="<key>". - Verify access:
bw syncthenbw list items --search test.
REQUIRED tmux session
The Bitwarden CLI requires the BW_SESSION environment variable for authenticated commands. To persist the session across commands, always run bw inside a dedicated tmux session.
Example (see tmux skill for socket conventions):
SOCKET_DIR="${CLAWDBOT_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/openclaw-tmux-sockets}"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/openclaw-bw.sock"
SESSION="bw-auth-$(date +%Y%m%d-%H%M%S)"
tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
# Unlock and capture session key
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- 'export BW_SESSION=$(bw unlock --raw)' Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- 'bw sync' Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- 'bw list items --search github' Enter
# Capture output
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200
# Cleanup when done
tmux -S "$SOCKET" kill-session -t "$SESSION"
Common Commands
| Command | Description |
|---|---|
bw status |
Check login/lock status (JSON) |
bw login |
Login with email/password or API key |
bw unlock |
Unlock vault, returns session key |
bw lock |
Lock vault |
bw sync |
Sync vault with server |
bw list items |
List all items |
bw list items --search <query> |
Search items |
bw get item <id-or-name> |
Get specific item (JSON) |
bw get password <id-or-name> |
Get just the password |
bw get username <id-or-name> |
Get just the username |
bw get totp <id-or-name> |
Get TOTP code |
bw generate -ulns --length 32 |
Generate password |
Guardrails
- Never paste secrets into logs, chat, or code.
- Always use tmux to maintain BW_SESSION across commands.
- Prefer
bw get passwordover parsing full item JSON when only password needed. - If command returns "Vault is locked", re-run
bw unlockinside tmux. - Do not run authenticated
bwcommands outside tmux; the session won't persist. - Lock vault when done:
bw lock.
Testing with Vaultwarden
This skill includes a Docker Compose setup for local testing with Vaultwarden (self-hosted Bitwarden-compatible server).
Quick Start
# Install mkcert and generate local certs (one-time)
brew install mkcert
mkcert -install
cd /path/to/openclaw-bitwarden
mkdir -p certs && cd certs
mkcert localhost 127.0.0.1 ::1
cd ..
# Start Vaultwarden + Caddy
docker compose up -d
# Configure bw CLI to use local server
bw config server https://localhost:8443
# Create a test account via web UI at https://localhost:8443
# Or run the setup script:
./scripts/setup-test-account.sh
# Test the skill workflow
./scripts/test-skill-workflow.sh
Test Credentials
- Server URL: https://localhost:8443
- Admin Panel: https://localhost:8443/admin (token:
test-admin-token-12345) - Suggested test account: [email protected] / TestPassword123!
Node.js CA Trust
The bw CLI requires the mkcert CA to be trusted. Export before running bw commands:
export NODE_EXTRA_CA_CERTS="$(mkcert -CAROOT)/rootCA.pem"
Or add to your shell profile for persistence.
Cleanup
docker compose down -v # Remove container and data