Bitwarden Skill for OpenClaw
Access secrets via Bitwarden/Vaultwarden CLI and API.
Last updated: 2026-03-11
Quick Install
$ npx clawhub@latest install bitwardenKey Features
OpenClaw Bitwarden Skill Overview
The Bitwarden skill connects OpenClaw to your Bitwarden or Vaultwarden vault through the official Bitwarden CLI (bw). Once installed, your OpenClaw agent can retrieve passwords, API keys, service tokens, and other secrets on demand — using plain English instead of navigating the vault UI.
This skill is ideal for self-hosted teams and developers who store service credentials in Bitwarden and need quick, programmatic access during development workflows. Whether you are deploying to a staging server, configuring a new service, or rotating API keys, the Bitwarden skill eliminates context-switching between your terminal and your password manager.
The OpenClaw Bitwarden skill treats security as a first-class concern. Session tokens are short-lived by default, vault contents are never cached to disk, and every retrieval is logged so you maintain full audit trail visibility.
Typical workflow:
- Ask OpenClaw for a specific credential (e.g., "Get the staging database password").
- The agent authenticates with your Bitwarden vault and searches for the item.
- The secret is returned directly in your session — no browser or app switching required.
Prerequisites for Bitwarden Skill
Before installing the Bitwarden skill, make sure you have:
- OpenClaw installed and running (v1.0+)
- Bitwarden CLI (
bw) installed — official installation guide - A Bitwarden account (cloud or self-hosted Vaultwarden instance)
- clawhub CLI installed for skill management
Verify your setup:
# Check OpenClaw version openclaw --version # Check Bitwarden CLI version bw --version # Check login status bw status
For self-hosted Vaultwarden users, configure your server URL first:
bw config server https://vault.yourdomain.com
How to Install the Bitwarden Skill
Install the Bitwarden skill with a single command:
npx clawhub@latest install bitwarden
To verify the installation:
clawhub list
You should see bitwarden in the list of installed skills.
Bitwarden Skill Configuration
The Bitwarden skill requires authentication with your vault. There are two approaches depending on your use case.
Interactive Login
For personal development use, log in interactively:
# Log in to Bitwarden cloud bw login # Or log in to a self-hosted Vaultwarden instance bw login --sso
After login, unlock the vault to create a session:
export BW_SESSION=$(bw unlock --raw)
API Key Authentication
For automated workflows and CI/CD pipelines, use API key authentication:
export BW_CLIENTID=your_client_id export BW_CLIENTSECRET=your_client_secret bw login --apikey export BW_SESSION=$(bw unlock --raw)
Generate your API key at vault.bitwarden.com/#/settings/security/security-keys.
Environment Variables
| Variable | Required | Purpose |
|----------|----------|---------|
| BW_SESSION | Yes | Active session token for vault access |
| BW_CLIENTID | For API auth | Bitwarden API client ID |
| BW_CLIENTSECRET | For API auth | Bitwarden API client secret |
Important: Never hardcode session tokens or API credentials in configuration files. Use environment variables and keep sessions short-lived. Lock your vault when not actively using it with bw lock.
Bitwarden Skill Usage Examples
1. Retrieve a Specific Secret
You: "Get the AWS access key from my Bitwarden vault."
The agent searches your vault for items matching "AWS access key", retrieves the credential, and returns the username and password fields. If multiple matches exist, it presents a list for you to choose from.
2. Generate a Secure Password
You: "Generate a 32-character password with special characters and save it as 'New API Token' in the DevOps folder."
The agent uses bw generate to create a cryptographically secure password, then creates a new vault item with the generated password in the specified folder.
bw generate --length 32 --special --uppercase --lowercase --number
3. Search and List Vault Items
You: "List all credentials in the 'Production' collection."
The agent queries your vault by collection name and returns a summary of all items — showing names, usernames, and last-modified dates without exposing actual passwords unless you explicitly request them.
4. Retrieve TOTP Codes
You: "Get the two-factor code for my GitHub account."
The agent retrieves the TOTP seed from your vault and generates the current 6-digit code using bw get totp github. This is useful when you need MFA codes without switching to a mobile authenticator app.
Security & Best Practices
The Bitwarden skill accesses your most sensitive credentials. Follow these guidelines strictly:
- Keep sessions short-lived. Lock your vault immediately after retrieving secrets with
bw lock. Avoid keepingBW_SESSIONactive longer than necessary. - Never export the full vault. The skill retrieves individual items on demand. Avoid commands like
bw exportwhich dump all credentials. - Use collections for access control. Organize secrets into collections and limit which collections the agent can access. This follows the principle of least privilege.
- Enable two-factor authentication. Protect your Bitwarden account with TOTP, FIDO2, or hardware key authentication.
- Audit access logs. Regularly review your Bitwarden event logs to track which items were accessed and when.
- Prefer Bitwarden Secrets Manager for automation. For production CI/CD workflows, consider Bitwarden Secrets Manager which provides machine-identity access tokens instead of user credentials.
For broader secret scanning and leak prevention, pair this skill with ggshield Scanner to detect accidentally committed secrets.
Troubleshooting Common Errors
"Vault is locked"
Your session has expired or was never started.
# Unlock the vault and export the session token export BW_SESSION=$(bw unlock --raw)
If you are not logged in at all, run bw login first.
"Not logged in"
You need to authenticate before unlocking:
# Log in to Bitwarden bw login your@email.com # Then unlock export BW_SESSION=$(bw unlock --raw)
"No items found matching the search term"
The search query did not match any vault items. Try:
- Using a broader search term
- Checking the item name in your vault UI
- Syncing the vault with
bw syncto pull the latest changes
You: "Search for items containing 'database' in any field."
FAQ
Yes, when used responsibly. The skill retrieves individual secrets on demand and does not cache or write them to disk. Session tokens are short-lived by default, and you can lock the vault immediately after retrieval. For production environments, we recommend using [Bitwarden Secrets Manager](https://bitwarden.com/products/secrets-manager/) with machine-identity tokens instead of personal vault access. Always review the [Safety Checklist](/skills#safety) before connecting any secret manager to an AI agent.
Yes. The Bitwarden CLI is fully compatible with [Vaultwarden](https://github.com/dani-garcia/vaultwarden) (formerly bitwarden_rs). Configure your server URL with `bw config server https://vault.yourdomain.com` before logging in. All skill features — search, retrieval, generation, TOTP — work identically with Vaultwarden. For teams using self-hosted infrastructure, this pairs well with the [1Password skill](/skills/1password) as an alternative.
Both skills provide secret management through their respective CLIs. The Bitwarden skill uses the `bw` CLI and supports both Bitwarden cloud and self-hosted Vaultwarden instances, making it the better choice for teams that prefer open-source, self-hosted infrastructure. The [1Password skill](/skills/1password) uses the `op` CLI and offers deeper integration with 1Password's service accounts. Choose based on which password manager your team already uses.
Related Skills
Scan repositories for hardcoded secrets (500+ secret types).
View GuideApply safety guardrails around tool use and risky actions.