Agent-Skills.md

Agent Skills: Bitwarden Vault Management Skill

Manage credentials in the Bitwarden vault - list, get, create, and update passwords. Use when the user asks about passwords, credentials, logins, vault items, or Bitwarden.

UncategorizedID: ChinchillaEnterprises/ChillSkills/bitwarden

Repository

ChinchillaEnterprises/ChillSkills
ChinchillaEnterprises
2

Install this agent skill to your local

pnpm dlx add-skill https://github.com/ChinchillaEnterprises/ChillSkills/tree/HEAD/bitwarden

Skill Files

Browse the full folder contents for bitwarden.

Download Skill

Loading file tree…

bitwarden/SKILL.md

Skill Metadata

Name
bitwarden
Description
Manage credentials in the Bitwarden vault - list, get, create, and update passwords. Use when the user asks about passwords, credentials, logins, vault items, or Bitwarden.

Bitwarden Vault Management Skill

Purpose

Manage the company Bitwarden vault via the CLI. List credentials, retrieve passwords, add new logins, and update existing entries. This is the team's secondary credential store for social media logins and day-to-day accounts (AWS Secrets Manager is the primary store for infrastructure secrets).

Activation

Invoke with phrases like:

  • "Check Bitwarden for the TikTok password"
  • "Add these credentials to Bitwarden"
  • "List everything in the vault"
  • "Get the Mercury Bank login"
  • "Update the Socials Gmail password"
  • "What's in Bitwarden?"

Prerequisites

Authentication

The Bitwarden CLI uses API key authentication. Credentials are stored in AWS Secrets Manager:

# Retrieve Bitwarden API credentials
aws secretsmanager get-secret-value --profile feather \
  --secret-id chinchilla/bitwarden \
  --query 'SecretString' --output text | jq -r '.'

This returns: client_id, client_secret, master_password, and email.

Login Flow

  1. Check status first:

    bw status

  2. If logged out, login with API key:

    BW_CLIENTID="<client_id>" BW_CLIENTSECRET="<client_secret>" bw login --apikey

  3. If locked, unlock the vault: The bw unlock command requires the master password for decryption. Due to shell escaping issues with special characters, the user must run bw unlock interactively in their terminal. Ask them to run:

    bw unlock

    Then have them provide the BW_SESSION token from the output.

  4. Use the session token for all commands:

    export BW_SESSION="<session_token>"
bw list items --session "$BW_SESSION"

Important: Shell Escaping

The master password contains ! and # characters which cause issues when passed via bash. Never attempt to pass the master password programmatically. Always ask the user to run bw unlock interactively and provide the session key.

Workflow

List All Vault Items

export BW_SESSION="<token>"
bw list items --session "$BW_SESSION" | jq '[.[] | {name: .name, username: .login.username?, uri: .login.uris?[0]?.uri?}]'

Get a Specific Item

# Search by name
bw list items --search "TikTok" --session "$BW_SESSION" | jq '.[0]'

# Get just the password
bw list items --search "TikTok" --session "$BW_SESSION" | jq -r '.[0].login.password'

Create a New Item

# Use the organization and collection IDs for the company vault
bw get template item --session "$BW_SESSION" | jq '. + {
  "organizationId": "8fc7e5de-c1f2-4e78-8217-b40a014730f2",
  "collectionIds": ["dd524257-39e3-4640-af8a-b40a014730fd"],
  "type": 1,
  "name": "Service Name",
  "notes": "Any notes here",
  "login": {
    "uris": [{"uri": "https://example.com"}],
    "username": "user@example.com",
    "password": "the-password"
  }
}' | bw encode | bw create item --session "$BW_SESSION"

Update an Existing Item

# Get the item, modify it, and save
ITEM_ID="<item-id>"
bw get item "$ITEM_ID" --session "$BW_SESSION" | jq '.login.password = "new-password"' | bw encode | bw edit item "$ITEM_ID" --session "$BW_SESSION"

Delete an Item

bw delete item "<item-id>" --session "$BW_SESSION"

Sync Vault

bw sync --session "$BW_SESSION"

Critical Rules

  1. Never pass the master password programmatically - always ask the user to run bw unlock interactively
  2. Always use --session flag with the BW_SESSION token for every command
  3. Always use the company org/collection IDs when creating items:
    • Organization: 8fc7e5de-c1f2-4e78-8217-b40a014730f2
    • Collection: dd524257-39e3-4640-af8a-b40a014730fd
  4. Check bw status first before attempting any operations
  5. API credentials live in AWS Secrets Manager at chinchilla/bitwarden - retrieve them with --profile feather
  6. Bitwarden is the secondary vault for social media, team logins, day-to-day accounts. AWS Secrets Manager is primary for infrastructure.
  7. Session tokens expire - if you get an auth error, ask the user to run bw unlock again

Company Vault Structure

The vault uses a shared organization with one collection:

  • Organization: Chinchilla Enterprises (8fc7e5de-c1f2-4e78-8217-b40a014730f2)
  • Collection: Company credentials (dd524257-39e3-4640-af8a-b40a014730fd)
  • Admin email: chinchillaai.admin@gmail.com

Error Handling

"Vault is locked": Ask the user to run bw unlock in their terminal and provide the session token.

"You are not logged in": Retrieve API credentials from Secrets Manager and run bw login --apikey.

"Session key is invalid": The session expired. Ask the user to run bw unlock again.

"Not found": Run bw sync --session "$BW_SESSION" to refresh, then retry.

Success Criteria

  • User asks about credentials or Bitwarden
  • Claude checks bw status to determine login/lock state
  • If locked/logged out, Claude guides user through authentication
  • Claude performs the requested operation (list, get, create, update)
  • Results are presented clearly with relevant fields (name, username, URI)
  • Passwords are only shown when explicitly requested