ssh-op

ssh-op is a wrapper around ssh that:

• ensures an ssh-agent exists for the current shell
• loads an SSH key from 1Password via op read ... | ssh-add -
• then execs ssh with your arguments

Prerequisites

Fail-fast checks you can run:

command -v op ssh ssh-agent ssh-add
op whoami

If op whoami fails:

• Sign in to 1Password CLI (desktop integration / account sign-in), or
• If using a service account flow, ensure OP_SERVICE_ACCOUNT_TOKEN is set.

Configuration (portable)

Machine-specific config lives alongside the skill:

• Example (do not edit): ~/.openclaw/skills/ssh-op/config.env.example
• Real (machine-specific): ~/.openclaw/skills/ssh-op/config.env

Required keys:

• SSH_OP_VAULT_NAME — 1Password vault containing the key
• SSH_OP_ITEM_TITLE — 1Password item title

Optional keys:

• SSH_OP_KEY_FIELD — defaults to private key
• SSH_OP_KEY_FINGERPRINT_SHA256 — if set, skip re-loading when already in ssh-agent
• SSH_OP_HOSTS_FILE — defaults to hosts.conf (ssh config snippet filename)

SSH host entries (optional) live in:

• ~/.openclaw/skills/ssh-op/hosts.conf

Initialization / installation / onboarding

Preferred (chat-first)

Because the primary interface is chat (Telegram), the preferred onboarding flow is:

1. Ask Boss the required questions in chat.
2. Write the real config file: config.env.
3. Run a smoke test (e.g. ssh-op --help and a safe ssh-op -T ).

Optional (terminal)

If you are running in a real terminal, you can use the interactive onboarding script:

~/.openclaw/skills/ssh-op/scripts/onboard.sh

(If you want a step-by-step runbook, see references/onboarding.md.)

1) Put the executable on PATH

Canonical executable lives inside the skill:

• ~/.openclaw/skills/ssh-op/scripts/ssh-op

For convenience, create a symlink:

mkdir -p ~/.local/bin
ln -sf ~/.openclaw/skills/ssh-op/scripts/ssh-op ~/.local/bin/ssh-op

2) Configure which key to load

Run onboarding to populate the real config:

~/.openclaw/skills/ssh-op/scripts/onboard.sh

(Or edit config.env manually and set SSH_OP_VAULT_NAME / SSH_OP_ITEM_TITLE.)

Then validate:

ssh-op --help
# try a safe ssh command (or any host alias you have configured)
ssh-op -T <host-alias>

3) (Optional) Manage ~/.ssh/config host aliases

1. Put desired Host entries in hosts.conf
2. Apply them idempotently (adds/updates a managed block):

~/.openclaw/skills/ssh-op/scripts/ensure_ssh_config.py

This will update ~/.ssh/config between:

• # BEGIN ssh-op (managed)
• # END ssh-op (managed)

Usage

ssh-op <ssh-args...>

Examples:

ssh-op my-host-alias
ssh-op -T my-host-alias
ssh-op -L 8080:localhost:8080 my-host-alias

Notes / behavior

• No private key is written to disk.
• ssh-agent lifetime is tied to the current shell unless you export SSH_AUTH_SOCK / SSH_AGENT_PID.

Executables / bin placement

• Keep the canonical executable in the skill folder (scripts/ssh-op).
• Use a symlink (e.g. ~/.local/bin/ssh-op) for convenience.