migrate-env-to-1password

Move the secrets in your .env file into 1Password using the official op CLI, then rewrite .env to reference those entries via op:// URIs. Commands still run via op run --env-file=.env -- <cmd>.

Install with your preferred package manager.

gh

gh skill install oharu121/skills migrate-env-to-1password

npx

npx skills add oharu121/skills/migrate-env-to-1password

pnpm

pnpm dlx skills add oharu121/skills/migrate-env-to-1password

What it does

A .env with plaintext API keys is the default on most projects, and a known risk. The remediation — op:// references resolved at runtime by the op CLI — is correct but fiddly: you create the 1Password item, hand-build the op://Vault/Item/Field URI for every key, and hope you didn’t typo. This skill does that migration end-to-end.

It reads your .env, confirms which variables to migrate, creates a single 1Password login item holding all of them in the vault you pick, then rewrites .env so each line points to the right field. A final verification runs op run --env-file=.env -- env and confirms every variable resolves.

The skill runs fully interactively — every destructive step (creating the 1Password item, overwriting .env) waits on AskUserQuestion confirmation. If op isn’t installed, it offers to install via brew install --cask 1password-cli.

When to use it

• Your project still has plaintext .env values and you want them in a vault before the next team member joins
• You’ve set up 1Password but never did the migration for an existing project — this finishes the job
• You want a tested round-trip: .env → 1Password items → op:// refs → verified resolution

When not to use it

Prompts and guidance in this skill are in Japanese. All op:// references and variable names stay in English, but interactive confirmations are 日本語. If that’s wrong for your team, use op item create directly or fork the skill.

How it works

1. Read .env. Variables and values are listed. You confirm which to migrate.

2. Install op if missing. which op is checked; if absent, the skill asks to run brew install --cask 1password-cli.

3. Verify auth. op whoami checks you’re signed in. If not, the skill walks you through enabling Settings → Developer → Connect with 1Password CLI in the desktop app, or running eval $(op signin).

4. Pick a vault. op vault list surfaces your vaults; you pick one via AskUserQuestion.

5. Create the 1Password item. A single login item with all migrated variables as fields. Title defaults to the project directory name but is confirmable.

6. Rewrite .env. Each KEY=value becomes KEY=op://Vault/Item/Field. The skill shows you the diff before overwriting.

7. Verify. op run --env-file=.env -- env | grep <KEY> confirms each variable resolves. Success message includes the op run usage pattern for running your actual commands.

Example

Before:

.env

OPENAI_API_KEY=sk-proj-abc123...
DATABASE_URL=postgres://user:pass@host/db
STRIPE_SECRET_KEY=sk_test_xyz...

After the migration, the same file reads:

.env

OPENAI_API_KEY=op://Personal/my-app/openai_api_key
DATABASE_URL=op://Personal/my-app/database_url
STRIPE_SECRET_KEY=op://Personal/my-app/stripe_secret_key

And every command you’d normally run gets a wrapper:

op run --env-file=.env -- node script.js
op run --env-file=.env -- python main.py

Notes

• Scripts that read .env directly will get the literal op:// string, not the value. Pipe them through op run or use a library that calls op read.
• Git history: if plaintext values were ever committed, rotating them after migration is part of the remediation, not an optional step.
• Rate limits: on large projects, op hits a rate limit; wait and retry is safe.

Related skills

bedrock-ops Keep TOTP secrets and MFA serials in 1Password instead of aws-project.local.json.

release For release pipelines that need CI secrets, reference op:// URIs in GitHub Actions.

Source

View SKILL.md on GitHub — full interactive workflow, error handling, rate-limit guidance.