1.4 KiB
1.4 KiB
name: vaultwarden description: Manage passwords in Vaultwarden. Use when needing credentials for services, databases, APIs, or when storing new secrets.
CRITICAL: Credential Blindness
NEVER use commands that would print passwords to stdout. Passwords must NEVER appear in tool output sent to Anthropic's API.
Available commands (each triggers Touch ID)
Search (safe — returns metadata only)
bw-vault search <query>
Returns: item name, username, URL, id — NO passwords
Inject password into a command (safe — password never in output)
bw-vault inject <item-name-or-id> --as <ENV_VAR> -- <command...>
Example: bw-vault inject "prod-db" --as PGPASSWORD -- psql -h db.local -U admin
Copy to clipboard (safe — only "Copied" message returned)
bw-vault copy <item-name-or-id> [field]
field defaults to "password", can be "username", "totp", "uri"
Write to temp file (safe — only file path returned)
bw-vault file <item-name-or-id> /tmp/secret-XXXX
Create new item (password auto-generated)
bw-vault create
Edit existing item
bw-vault edit <item-name-or-id>
NEVER DO
bw get password <id>— would leak to APIcat /tmp/secret-XXXX— would leak file contents to APIecho $PGPASSWORD— would leak env var to API- Any command that prints a secret value to stdout