MCP (Model Context Protocol)

How to Use a Password Manager in Claude Cowork

Claude Cowork automates everyday tasks such as organizing files, drafting reports, and processing data. But many workflows slow down the moment a credential is required. Logging into a service, calling an authenticated API, or retrieving credentials for a teammate often means switching to a password manager and manually copying data.

The Passwd plugin removes that friction. Once installed, Claude Cowork can securely access your team’s Passwd vault while ensuring that raw credential values never reach the AI model.

The plugin provides two capabilities: vault tools for browsing and TOTP generation, and an agent CLI skill that allows credentials to be injected into commands when necessary.

Setup

1. Install the plugin

Open Plugins in Claude Cowork and add the Passwd plugin from the repository.

https://github.com/pepuscz/passwd/tree/main/packages/passwd-plugin

2. Configure your deployment URL

Edit the plugin configuration file:

packages/passwd-plugin/.mcp.json

Replace the default deployment URL with your Passwd instance.

Example:

PASSWD_ORIGIN=https://your-deployment.passwd.team

3. Restart Claude Cowork

After restarting, the plugin will be loaded and the MCP tools will be available.

If your team uses multiple Passwd deployments, you can add multiple entries in the .mcp.json configuration file with different server names and deployment URLs.

Authenticate

The first time Cowork uses the vault, it will prompt you to authenticate using Google.

Open the login URL in your browser, sign in using the same Google account you use for Passwd, and paste the redirect URL back into Cowork.

Authentication tokens are stored locally so the process only needs to happen once.

What Cowork can do with the vault

Once connected, Claude Cowork can interact with your team’s vault in several ways.

The assistant can:

  • search credentials by name, tag, or type
  • view credential metadata such as usernames, URLs, and notes
  • generate TOTP codes
  • audit vault entries based on metadata

Credential values such as passwords and API keys are always replaced with ••••••••.

This allows Cowork to understand the structure of the vault without exposing sensitive information.

Why raw passwords should never reach the AI

Claude Cowork runs on a cloud-hosted language model. Any tool result returned to the model enters the AI context window.

Sensitive data placed in the context window can potentially be exposed through prompt injection attacks, logging systems, or other forms of model telemetry.

For this reason, Passwd structurally redacts sensitive credential fields before returning them through MCP.

The AI assistant can identify credentials but cannot read their values.

Using credentials in commands

Some workflows require the assistant to actually use a credential rather than just browse the vault.

The Passwd plugin bundles an agent CLI that can inject credentials into commands using exec --inject.

Example:

npx -y @passwd/passwd-agent-cli@1.3.1 exec \
  --inject API_KEY=abc123:password \
  -- node script.js

The CLI retrieves the credential and injects it into the subprocess environment.

The command receives the credential as an environment variable, while the AI assistant never sees the raw value.

Example workflows

Generate a TOTP code

You can ask Cowork:

“I need the TOTP code for the company Notion account.”

Cowork retrieves the credential and generates the current six-digit code.

Since TOTP codes expire quickly, returning them in the conversation is considered safe.

Retrieve vault information

You can ask:

“What credentials do we have tagged marketing?”

Cowork searches the vault and returns matching entries with metadata such as name, type, and tags.

Passwords and API keys remain redacted.

Use a credential in a task

You can ask:

“Pull the latest analytics data using the credentials stored in the vault.”

Cowork identifies the credential and runs the required command using exec --inject.

The credential is injected directly into the process environment and never appears in the conversation.

Audit credentials

Cowork can also help review vault data.

Example request:

“List credentials tagged production that haven’t been updated recently.”

The assistant analyzes vault metadata and summarizes the results without exposing credential values.

Security model

The Passwd plugin runs locally and communicates directly with your Passwd deployment over HTTPS.

Claude Cowork operates using the permissions of your Passwd account. The assistant can only access credentials that are already shared with you.

Sensitive credential fields are structurally redacted before being returned to the AI model.

This ensures that passwords and API keys never enter the AI context.

Full source code is available at:
https://github.com/pepuscz/passwd