{ "schemaVersion": "1.0", "item": { "slug": "bw-cli", "name": "Bitwarden CLI", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/0x7466/bw-cli", "canonicalUrl": "https://clawhub.ai/0x7466/bw-cli", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/bw-cli", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=bw-cli", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "_meta.json", "references/commands.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "slug": "bw-cli", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T13:39:32.117Z", "expiresAt": "2026-05-07T13:39:32.117Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=bw-cli", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=bw-cli", "contentDisposition": "attachment; filename=\"bw-cli-1.1.1.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "bw-cli" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/bw-cli" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/bw-cli", "agentPageUrl": "https://openagent3.xyz/skills/bw-cli/agent", "manifestUrl": "https://openagent3.xyz/skills/bw-cli/agent.json", "briefUrl": "https://openagent3.xyz/skills/bw-cli/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Bitwarden CLI", "body": "Complete reference for interacting with Bitwarden via the command-line interface.\n\nOfficial documentation: https://bitwarden.com/help/cli/\nMarkdown version (for agents): https://bitwarden.com/help/cli.md" }, { "title": "Installation", "body": "# Native executable (recommended)\n# https://bitwarden.com/download/?app=cli\n\n# npm\nnpm install -g @bitwarden/cli\n\n# Linux package managers\nchoco install bitwarden-cli # Windows via Chocolatey\nsnap install bw # Linux via Snap" }, { "title": "Authentication Flow (Preferred: Unlock First)", "body": "Standard-Workflow (unlock-first):\n\n# 1. Try unlock first (fast, most common case)\nexport BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null)\n\n# 2. Only if unlock fails, fall back to login\nif [ -z \"$BW_SESSION\" ]; then\n bw login \"$BW_EMAIL\" \"$BW_PASSWORD\"\n export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)\nfi\n\n# 3. Sync before any vault operation\nbw sync\n\n# 4. End session\nbw lock # Lock (keep login)\nbw logout # Complete logout\n\nAlternative: Direct login methods\n\nbw login # Interactive login (email + password)\nbw login --apikey # API key login (uses BW_CLIENTID/BW_CLIENTSECRET from .secrets)\nbw login --sso # SSO login\nbw unlock # Interactive unlock\nbw unlock --passwordenv BW_PASSWORD # Auto-available from sourced .secrets" }, { "title": "status", "body": "Check authentication and vault status:\n\nbw status\n\nReturns: unauthenticated, locked, or unlocked." }, { "title": "config", "body": "Configure CLI settings:\n\n# Set server (self-hosted or regional)\nbw config server https://vault.example.com\nbw config server https://vault.bitwarden.eu # EU cloud\nbw config server # Check current\n\n# Individual service URLs\nbw config server --web-vault --api --identity " }, { "title": "sync", "body": "Sync local vault with server (always run before vault operations):\n\nbw sync # Full sync\nbw sync --last # Show last sync timestamp" }, { "title": "update", "body": "Check for updates (does not auto-install):\n\nbw update" }, { "title": "serve", "body": "Start REST API server:\n\nbw serve --port 8087 --hostname localhost" }, { "title": "list", "body": "List vault objects:\n\n# Items\nbw list items\nbw list items --search github\nbw list items --folderid --collectionid \nbw list items --url https://example.com\nbw list items --trash # Items in trash\n\n# Folders\nbw list folders\n\n# Collections\nbw list collections # All collections\nbw list org-collections --organizationid # Org collections\n\n# Organizations\nbw list organizations\nbw list org-members --organizationid " }, { "title": "get", "body": "Retrieve single values or items:\n\n# Get specific fields (by name or ID)\nbw get password \"GitHub\"\nbw get username \"GitHub\"\nbw get totp \"GitHub\" # 2FA code\nbw get notes \"GitHub\"\nbw get uri \"GitHub\"\n\n# Get full item JSON\nbw get item \"GitHub\"\nbw get item --pretty\n\n# Other objects\nbw get folder \nbw get collection \nbw get organization \nbw get org-collection --organizationid \n\n# Templates for create operations\nbw get template item\nbw get template item.login\nbw get template item.card\nbw get template item.identity\nbw get template item.securenote\nbw get template folder\nbw get template collection\nbw get template item-collections\n\n# Security\nbw get fingerprint \nbw get fingerprint me\nbw get exposed # Check if password is breached\n\n# Attachments\nbw get attachment --itemid --output /path/" }, { "title": "create", "body": "Create new objects:\n\n# Create folder\nbw get template folder | jq '.name=\"Work\"' | bw encode | bw create folder\n\n# Create login item\nbw get template item | jq \\\n '.name=\"Service\" | .login=$(bw get template item.login | jq '.username=\"user@example.com\" | .password=\"secret\"')' \\\n | bw encode | bw create item\n\n# Create secure note (type=2)\nbw get template item | jq \\\n '.type=2 | .secureNote.type=0 | .name=\"Note\" | .notes=\"Content\"' \\\n | bw encode | bw create item\n\n# Create card (type=3)\nbw get template item | jq \\\n '.type=3 | .name=\"My Card\" | .card=$(bw get template item.card | jq '.number=\"4111...\"')' \\\n | bw encode | bw create item\n\n# Create identity (type=4)\nbw get template item | jq \\\n '.type=4 | .name=\"My Identity\" | .identity=$(bw get template item.identity)' \\\n | bw encode | bw create item\n\n# Create SSH key (type=5)\nbw get template item | jq \\\n '.type=5 | .name=\"My SSH Key\"' \\\n | bw encode | bw create item\n\n# Attach file to existing item\nbw create attachment --file ./doc.pdf --itemid \n\nItem types: 1=Login, 2=Secure Note, 3=Card, 4=Identity, 5=SSH Key." }, { "title": "edit", "body": "Modify existing objects:\n\n# Edit item\nbw get item | jq '.login.password=\"newpass\"' | bw encode | bw edit item \n\n# Edit folder\nbw get folder | jq '.name=\"New Name\"' | bw encode | bw edit folder \n\n# Edit item collections\n echo '[\"collection-uuid\"]' | bw encode | bw edit item-collections --organizationid \n\n# Edit org collection\nbw get org-collection --organizationid | jq '.name=\"New Name\"' | bw encode | bw edit org-collection --organizationid " }, { "title": "delete", "body": "Remove objects:\n\n# Send to trash (recoverable 30 days)\nbw delete item \nbw delete folder \nbw delete attachment --itemid \nbw delete org-collection --organizationid \n\n# Permanent delete (irreversible!)\nbw delete item --permanent" }, { "title": "restore", "body": "Recover from trash:\n\nbw restore item " }, { "title": "generate", "body": "Generate passwords or passphrases:\n\n# Password (default: 14 chars)\nbw generate\nbw generate --uppercase --lowercase --number --special --length 20\nbw generate -ulns --length 32\n\n# Passphrase\nbw generate --passphrase --words 4 --separator \"-\" --capitalize --includeNumber" }, { "title": "send", "body": "Create ephemeral shares:\n\n# Text Send\nbw send -n \"Secret\" -d 7 --hidden \"This text vanishes in 7 days\"\n\n# File Send\nbw send -n \"Doc\" -d 14 -f /path/to/file.pdf\n\n# Advanced options\nbw send --password accesspass -f file.txt" }, { "title": "receive", "body": "Access received Sends:\n\nbw receive --password " }, { "title": "move", "body": "Share items to organization:\n\necho '[\"collection-uuid\"]' | bw encode | bw move " }, { "title": "confirm", "body": "Confirm invited members:\n\nbw get fingerprint \nbw confirm org-member --organizationid " }, { "title": "device-approval", "body": "Manage device approvals:\n\nbw device-approval list --organizationid \nbw device-approval approve --organizationid \nbw device-approval approve-all --organizationid \nbw device-approval deny --organizationid \nbw device-approval deny-all --organizationid " }, { "title": "import", "body": "Import from other password managers:\n\nbw import --formats # List supported formats\nbw import lastpasscsv ./export.csv\nbw import bitwardencsv ./import.csv --organizationid " }, { "title": "export", "body": "Export vault data:\n\nbw export # CSV format\nbw export --format json\nbw export --format encrypted_json\nbw export --format encrypted_json --password \nbw export --format zip # Includes attachments\nbw export --output /path/ --raw # Output to file or stdout\nbw export --organizationid --format json" }, { "title": "encode", "body": "Base64 encode JSON for create/edit operations:\n\nbw get template folder | jq '.name=\"Test\"' | bw encode | bw create folder" }, { "title": "generate (password)", "body": "See Password Generation." }, { "title": "Global Options", "body": "Available on all commands:\n\n--pretty # Format JSON output with tabs\n--raw # Return raw output\n--response # JSON formatted response\n--quiet # No stdout (use for piping secrets)\n--nointeraction # Don't prompt for input\n--session # Pass session key directly\n--version # CLI version\n--help # Command help" }, { "title": "Secure Password Storage (Workspace .secrets)", "body": "Store the master password in a .secrets file in the workspace root and auto-load it:\n\n# Create .secrets file\nmkdir -p ~/.openclaw/workspace\necho \"BW_PASSWORD=your_master_password\" > ~/.openclaw/workspace/.secrets\nchmod 600 ~/.openclaw/workspace/.secrets\n\n# Add to .gitignore\necho \".secrets\" >> ~/.openclaw/workspace/.gitignore\n\n# Auto-source in shell config (run once)\necho 'source ~/.openclaw/workspace/.secrets 2>/dev/null' >> ~/.bashrc\n# OR for zsh:\necho 'source ~/.openclaw/workspace/.secrets 2>/dev/null' >> ~/.zshrc\n\nNow BW_PASSWORD is always available:\n\nbw unlock --passwordenv BW_PASSWORD\n\nSecurity requirements:\n\nFile must be mode 600 (user read/write only)\nMust add .secrets to .gitignore\nNever commit the .secrets file\nAuto-sourcing happens on new shell sessions; run source ~/.openclaw/workspace/.secrets for current session" }, { "title": "API Key Authentication (Workspace .secrets)", "body": "For automated/API key login, store credentials in the same .secrets file:\n\n# Add API credentials to .secrets\necho \"BW_CLIENTID=user.xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\" >> ~/.openclaw/workspace/.secrets\necho \"BW_CLIENTSECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\" >> ~/.openclaw/workspace/.secrets\nchmod 600 ~/.openclaw/workspace/.secrets\n\nLogin with API key:\n\nbw login --apikey\n\n⚠️ Known Issue / Workaround\n\nOn some self-hosted Vaultwarden instances, bw login --apikey may fail with:\n\nUser Decryption Options are required for client initialization\n\nWorkaround - Use Email/Password Login:\n\n# Add EMAIL to .secrets\necho \"BW_EMAIL=your@email.com\" >> ~/.openclaw/workspace/.secrets\n\n# Login with email + password (instead of --apikey)\nbw login \"$BW_EMAIL\" \"$BW_PASSWORD\"\n\n# Or as one-liner\nset -a && source ~/.openclaw/workspace/.secrets && set +a && bw login \"$BW_EMAIL\" \"$BW_PASSWORD\"\n\n# Then unlock as usual\nbw unlock --passwordenv BW_PASSWORD\n\nFull workflow (recommended for self-hosted):\n\n# Source the .secrets file\nset -a && source ~/.openclaw/workspace/.secrets && set +a\n\n# Try unlock first (faster, works if already logged in)\nexport BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null)\n\n# Only login if unlock failed (vault not initialized)\nif [ -z \"$BW_SESSION\" ]; then\n bw login \"$BW_EMAIL\" \"$BW_PASSWORD\"\n export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)\nfi\n\n# Ready to use\nbw sync\nbw list items\n\nGet your API key: https://bitwarden.com/help/personal-api-key/" }, { "title": "Environment Variables", "body": "BW_CLIENTID # API key client_id\nBW_CLIENTSECRET # API key client_secret\nBW_PASSWORD # Master password for unlock\nBW_SESSION # Session key (auto-used by CLI)\nBITWARDENCLI_DEBUG=true # Enable debug output\nNODE_EXTRA_CA_CERTS # Self-signed certs path\nBITWARDENCLI_APPDATA_DIR # Custom config directory" }, { "title": "Two-Step Login Methods", "body": "Method values: 0=Authenticator, 1=Email, 3=YubiKey.\n\nbw login user@example.com password --method 0 --code 123456" }, { "title": "URI Match Types", "body": "Values: 0=Domain, 1=Host, 2=Starts With, 3=Exact, 4=Regex, 5=Never." }, { "title": "Field Types", "body": "Values: 0=Text, 1=Hidden, 2=Boolean." }, { "title": "Organization User Types", "body": "0=Owner, 1=Admin, 2=User, 3=Manager, 4=Custom." }, { "title": "Organization User Statuses", "body": "0=Invited, 1=Accepted, 2=Confirmed, -1=Revoked." }, { "title": "Best Practices", "body": "Unlock first, login only if needed: Try bw unlock first as it's faster; only run bw login if unlock fails (vault not initialized)\nAlways sync: Run bw sync before any vault operation\nSecure session: Use bw lock when done\nProtect secrets: Never log BW_SESSION or BW_PASSWORD\nSecure storage: Keep .secrets file at mode 600, never commit it\nAuto-source: Add to ~/.bashrc or ~/.zshrc for persistent env vars\nVerify fingerprints: Before confirming org members" }, { "title": "Troubleshooting", "body": "IssueSolution\"Bot detected\"Use --apikey or provide client_secret\"Vault is locked\"Run bw unlock and export BW_SESSIONSelf-signed cert errorSet NODE_EXTRA_CA_CERTSNeed debug infoexport BITWARDENCLI_DEBUG=true\n\nReferences:\n\nHTML documentation: https://bitwarden.com/help/cli/\nMarkdown (fetchable): https://bitwarden.com/help/cli.md\nPersonal API Key: https://bitwarden.com/help/personal-api-key/" } ], "body": "Bitwarden CLI\n\nComplete reference for interacting with Bitwarden via the command-line interface.\n\nOfficial documentation: https://bitwarden.com/help/cli/\nMarkdown version (for agents): https://bitwarden.com/help/cli.md\n\nQuick Reference\nInstallation\n# Native executable (recommended)\n# https://bitwarden.com/download/?app=cli\n\n# npm\nnpm install -g @bitwarden/cli\n\n# Linux package managers\nchoco install bitwarden-cli # Windows via Chocolatey\nsnap install bw # Linux via Snap\n\nAuthentication Flow (Preferred: Unlock First)\n\nStandard-Workflow (unlock-first):\n\n# 1. Try unlock first (fast, most common case)\nexport BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null)\n\n# 2. Only if unlock fails, fall back to login\nif [ -z \"$BW_SESSION\" ]; then\n bw login \"$BW_EMAIL\" \"$BW_PASSWORD\"\n export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)\nfi\n\n# 3. Sync before any vault operation\nbw sync\n\n# 4. End session\nbw lock # Lock (keep login)\nbw logout # Complete logout\n\n\nAlternative: Direct login methods\n\nbw login # Interactive login (email + password)\nbw login --apikey # API key login (uses BW_CLIENTID/BW_CLIENTSECRET from .secrets)\nbw login --sso # SSO login\nbw unlock # Interactive unlock\nbw unlock --passwordenv BW_PASSWORD # Auto-available from sourced .secrets\n\nSession & Configuration Commands\nstatus\n\nCheck authentication and vault status:\n\nbw status\n\n\nReturns: unauthenticated, locked, or unlocked.\n\nconfig\n\nConfigure CLI settings:\n\n# Set server (self-hosted or regional)\nbw config server https://vault.example.com\nbw config server https://vault.bitwarden.eu # EU cloud\nbw config server # Check current\n\n# Individual service URLs\nbw config server --web-vault --api --identity \n\nsync\n\nSync local vault with server (always run before vault operations):\n\nbw sync # Full sync\nbw sync --last # Show last sync timestamp\n\nupdate\n\nCheck for updates (does not auto-install):\n\nbw update\n\nserve\n\nStart REST API server:\n\nbw serve --port 8087 --hostname localhost\n\nVault Item Commands\nlist\n\nList vault objects:\n\n# Items\nbw list items\nbw list items --search github\nbw list items --folderid --collectionid \nbw list items --url https://example.com\nbw list items --trash # Items in trash\n\n# Folders\nbw list folders\n\n# Collections\nbw list collections # All collections\nbw list org-collections --organizationid # Org collections\n\n# Organizations\nbw list organizations\nbw list org-members --organizationid \n\nget\n\nRetrieve single values or items:\n\n# Get specific fields (by name or ID)\nbw get password \"GitHub\"\nbw get username \"GitHub\"\nbw get totp \"GitHub\" # 2FA code\nbw get notes \"GitHub\"\nbw get uri \"GitHub\"\n\n# Get full item JSON\nbw get item \"GitHub\"\nbw get item --pretty\n\n# Other objects\nbw get folder \nbw get collection \nbw get organization \nbw get org-collection --organizationid \n\n# Templates for create operations\nbw get template item\nbw get template item.login\nbw get template item.card\nbw get template item.identity\nbw get template item.securenote\nbw get template folder\nbw get template collection\nbw get template item-collections\n\n# Security\nbw get fingerprint \nbw get fingerprint me\nbw get exposed # Check if password is breached\n\n# Attachments\nbw get attachment --itemid --output /path/\n\ncreate\n\nCreate new objects:\n\n# Create folder\nbw get template folder | jq '.name=\"Work\"' | bw encode | bw create folder\n\n# Create login item\nbw get template item | jq \\\n '.name=\"Service\" | .login=$(bw get template item.login | jq '.username=\"user@example.com\" | .password=\"secret\"')' \\\n | bw encode | bw create item\n\n# Create secure note (type=2)\nbw get template item | jq \\\n '.type=2 | .secureNote.type=0 | .name=\"Note\" | .notes=\"Content\"' \\\n | bw encode | bw create item\n\n# Create card (type=3)\nbw get template item | jq \\\n '.type=3 | .name=\"My Card\" | .card=$(bw get template item.card | jq '.number=\"4111...\"')' \\\n | bw encode | bw create item\n\n# Create identity (type=4)\nbw get template item | jq \\\n '.type=4 | .name=\"My Identity\" | .identity=$(bw get template item.identity)' \\\n | bw encode | bw create item\n\n# Create SSH key (type=5)\nbw get template item | jq \\\n '.type=5 | .name=\"My SSH Key\"' \\\n | bw encode | bw create item\n\n# Attach file to existing item\nbw create attachment --file ./doc.pdf --itemid \n\n\nItem types: 1=Login, 2=Secure Note, 3=Card, 4=Identity, 5=SSH Key.\n\nedit\n\nModify existing objects:\n\n# Edit item\nbw get item | jq '.login.password=\"newpass\"' | bw encode | bw edit item \n\n# Edit folder\nbw get folder | jq '.name=\"New Name\"' | bw encode | bw edit folder \n\n# Edit item collections\n echo '[\"collection-uuid\"]' | bw encode | bw edit item-collections --organizationid \n\n# Edit org collection\nbw get org-collection --organizationid | jq '.name=\"New Name\"' | bw encode | bw edit org-collection --organizationid \n\ndelete\n\nRemove objects:\n\n# Send to trash (recoverable 30 days)\nbw delete item \nbw delete folder \nbw delete attachment --itemid \nbw delete org-collection --organizationid \n\n# Permanent delete (irreversible!)\nbw delete item --permanent\n\nrestore\n\nRecover from trash:\n\nbw restore item \n\nPassword Generation\ngenerate\n\nGenerate passwords or passphrases:\n\n# Password (default: 14 chars)\nbw generate\nbw generate --uppercase --lowercase --number --special --length 20\nbw generate -ulns --length 32\n\n# Passphrase\nbw generate --passphrase --words 4 --separator \"-\" --capitalize --includeNumber\n\nSend Commands (Secure Sharing)\nsend\n\nCreate ephemeral shares:\n\n# Text Send\nbw send -n \"Secret\" -d 7 --hidden \"This text vanishes in 7 days\"\n\n# File Send\nbw send -n \"Doc\" -d 14 -f /path/to/file.pdf\n\n# Advanced options\nbw send --password accesspass -f file.txt\n\nreceive\n\nAccess received Sends:\n\nbw receive --password \n\nOrganization Commands\nmove\n\nShare items to organization:\n\necho '[\"collection-uuid\"]' | bw encode | bw move \n\nconfirm\n\nConfirm invited members:\n\nbw get fingerprint \nbw confirm org-member --organizationid \n\ndevice-approval\n\nManage device approvals:\n\nbw device-approval list --organizationid \nbw device-approval approve --organizationid \nbw device-approval approve-all --organizationid \nbw device-approval deny --organizationid \nbw device-approval deny-all --organizationid \n\nImport & Export\nimport\n\nImport from other password managers:\n\nbw import --formats # List supported formats\nbw import lastpasscsv ./export.csv\nbw import bitwardencsv ./import.csv --organizationid \n\nexport\n\nExport vault data:\n\nbw export # CSV format\nbw export --format json\nbw export --format encrypted_json\nbw export --format encrypted_json --password \nbw export --format zip # Includes attachments\nbw export --output /path/ --raw # Output to file or stdout\nbw export --organizationid --format json\n\nUtilities\nencode\n\nBase64 encode JSON for create/edit operations:\n\nbw get template folder | jq '.name=\"Test\"' | bw encode | bw create folder\n\ngenerate (password)\n\nSee Password Generation.\n\nGlobal Options\n\nAvailable on all commands:\n\n--pretty # Format JSON output with tabs\n--raw # Return raw output\n--response # JSON formatted response\n--quiet # No stdout (use for piping secrets)\n--nointeraction # Don't prompt for input\n--session # Pass session key directly\n--version # CLI version\n--help # Command help\n\nSecurity Reference\nSecure Password Storage (Workspace .secrets)\n\nStore the master password in a .secrets file in the workspace root and auto-load it:\n\n# Create .secrets file\nmkdir -p ~/.openclaw/workspace\necho \"BW_PASSWORD=your_master_password\" > ~/.openclaw/workspace/.secrets\nchmod 600 ~/.openclaw/workspace/.secrets\n\n# Add to .gitignore\necho \".secrets\" >> ~/.openclaw/workspace/.gitignore\n\n# Auto-source in shell config (run once)\necho 'source ~/.openclaw/workspace/.secrets 2>/dev/null' >> ~/.bashrc\n# OR for zsh:\necho 'source ~/.openclaw/workspace/.secrets 2>/dev/null' >> ~/.zshrc\n\n\nNow BW_PASSWORD is always available:\n\nbw unlock --passwordenv BW_PASSWORD\n\n\nSecurity requirements:\n\nFile must be mode 600 (user read/write only)\nMust add .secrets to .gitignore\nNever commit the .secrets file\nAuto-sourcing happens on new shell sessions; run source ~/.openclaw/workspace/.secrets for current session\nAPI Key Authentication (Workspace .secrets)\n\nFor automated/API key login, store credentials in the same .secrets file:\n\n# Add API credentials to .secrets\necho \"BW_CLIENTID=user.xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\" >> ~/.openclaw/workspace/.secrets\necho \"BW_CLIENTSECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\" >> ~/.openclaw/workspace/.secrets\nchmod 600 ~/.openclaw/workspace/.secrets\n\n\nLogin with API key:\n\nbw login --apikey\n\n\n⚠️ Known Issue / Workaround\n\nOn some self-hosted Vaultwarden instances, bw login --apikey may fail with:\n\nUser Decryption Options are required for client initialization\n\n\nWorkaround - Use Email/Password Login:\n\n# Add EMAIL to .secrets\necho \"BW_EMAIL=your@email.com\" >> ~/.openclaw/workspace/.secrets\n\n# Login with email + password (instead of --apikey)\nbw login \"$BW_EMAIL\" \"$BW_PASSWORD\"\n\n# Or as one-liner\nset -a && source ~/.openclaw/workspace/.secrets && set +a && bw login \"$BW_EMAIL\" \"$BW_PASSWORD\"\n\n# Then unlock as usual\nbw unlock --passwordenv BW_PASSWORD\n\n\nFull workflow (recommended for self-hosted):\n\n# Source the .secrets file\nset -a && source ~/.openclaw/workspace/.secrets && set +a\n\n# Try unlock first (faster, works if already logged in)\nexport BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null)\n\n# Only login if unlock failed (vault not initialized)\nif [ -z \"$BW_SESSION\" ]; then\n bw login \"$BW_EMAIL\" \"$BW_PASSWORD\"\n export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)\nfi\n\n# Ready to use\nbw sync\nbw list items\n\n\nGet your API key: https://bitwarden.com/help/personal-api-key/\n\nEnvironment Variables\nBW_CLIENTID # API key client_id\nBW_CLIENTSECRET # API key client_secret\nBW_PASSWORD # Master password for unlock\nBW_SESSION # Session key (auto-used by CLI)\nBITWARDENCLI_DEBUG=true # Enable debug output\nNODE_EXTRA_CA_CERTS # Self-signed certs path\nBITWARDENCLI_APPDATA_DIR # Custom config directory\n\nTwo-Step Login Methods\n\nMethod values: 0=Authenticator, 1=Email, 3=YubiKey.\n\nbw login user@example.com password --method 0 --code 123456\n\nURI Match Types\n\nValues: 0=Domain, 1=Host, 2=Starts With, 3=Exact, 4=Regex, 5=Never.\n\nField Types\n\nValues: 0=Text, 1=Hidden, 2=Boolean.\n\nOrganization User Types\n\n0=Owner, 1=Admin, 2=User, 3=Manager, 4=Custom.\n\nOrganization User Statuses\n\n0=Invited, 1=Accepted, 2=Confirmed, -1=Revoked.\n\nBest Practices\nUnlock first, login only if needed: Try bw unlock first as it's faster; only run bw login if unlock fails (vault not initialized)\nAlways sync: Run bw sync before any vault operation\nSecure session: Use bw lock when done\nProtect secrets: Never log BW_SESSION or BW_PASSWORD\nSecure storage: Keep .secrets file at mode 600, never commit it\nAuto-source: Add to ~/.bashrc or ~/.zshrc for persistent env vars\nVerify fingerprints: Before confirming org members\nTroubleshooting\nIssue\tSolution\n\"Bot detected\"\tUse --apikey or provide client_secret\n\"Vault is locked\"\tRun bw unlock and export BW_SESSION\nSelf-signed cert error\tSet NODE_EXTRA_CA_CERTS\nNeed debug info\texport BITWARDENCLI_DEBUG=true\n\nReferences:\n\nHTML documentation: https://bitwarden.com/help/cli/\nMarkdown (fetchable): https://bitwarden.com/help/cli.md\nPersonal API Key: https://bitwarden.com/help/personal-api-key/" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/0x7466/bw-cli", "publisherUrl": "https://clawhub.ai/0x7466/bw-cli", "owner": "0x7466", "version": "1.1.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/bw-cli", "downloadUrl": "https://openagent3.xyz/downloads/bw-cli", "agentUrl": "https://openagent3.xyz/skills/bw-cli/agent", "manifestUrl": "https://openagent3.xyz/skills/bw-cli/agent.json", "briefUrl": "https://openagent3.xyz/skills/bw-cli/agent.md" } }