A password manager CLI is a command-line tool that gives you access to your team’s password vault directly from the terminal. Instead of switching to a browser or app to look up credentials, you run a command and get the result instantly.
Passwd ships two CLIs — one for AI agents and one for humans. Both connect to the same vault but enforce different security boundaries.
The agent CLI (@passwd/passwd-agent-cli)
The agent CLI is designed specifically for AI agents. No command can output raw credential values. This is a structural guarantee, not a policy.
It gives agents three capabilities.
Browse the vault
Agents can search and inspect vault entries while sensitive fields remain redacted.
passwd-agent list -q "production database" --json
passwd-agent get abc123 --json
passwd-agent totp abc123
Credential values are replaced with:
••••••••
This allows agents to work with vault data without exposing secrets.
Inject credentials into commands
Agents can run commands using credentials without ever seeing them. This is done using exec --inject.
passwd-agent exec \
--inject DB_PASSWORD=abc123:password \
--inject API_KEY=def456:password \
-- node server.js
The CLI retrieves the secret from the vault, injects it into the subprocess environment, and executes the command.
Stdout masking is always enabled. If the subprocess prints a secret value, it is replaced with <concealed by passwd>.
The raw value never enters the AI context.
Secrets never appear in shell history, never persist after the command exits, and the child process cannot access the vault beyond the injected fields.
Resolve credentials for gateways
The agent CLI also implements the exec secrets provider protocol used by OpenClaw.
When OpenClaw starts, the gateway sends secret IDs to the CLI via stdin. The CLI resolves the secrets and returns the values on stdout.
The gateway stores them in an in-memory credential snapshot, and the AI agent never receives the credential values.
The full CLI (@passwd/passwd-cli)
The full CLI is designed for humans working in the terminal. It supports full vault operations including retrieving raw credential values.
Example commands:
passwd list -q "production database"
passwd get abc123 --field password
passwd exec --inject DB_PASS=abc123:password -- ./deploy.sh staging
passwd create -t apiCredentials -n "Stripe Key" -p "sk_live_..."
passwd share abc123
The full CLI also supports creating, updating, deleting, and sharing credentials.
The full CLI can output raw credential values using --field.
It can also disable masking for scripts that need raw output:
passwd exec --inject API_KEY=abc123:password --no-masking -- script.sh
Why the full CLI is not safe for agents
The full CLI is intentionally not safe for AI agents.
Anything an AI agent can read can potentially leak through prompt injection, tool output logging, or context window extraction.
For this reason, AI integrations should use either the agent CLI or the MCP server. Both enforce structural protection of credential values.
Three tools, three security boundaries
| Tool | Used by | Raw credential access | Best use |
|---|---|---|---|
| Agent CLI | AI agents | No | credential injection |
| Full CLI | Humans | Yes | scripts, CI/CD |
| MCP server | AI agents | No | browsing and TOTP |
This separation ensures that automation and AI integrations never expose raw credentials while still allowing humans to access them when necessary.
Full source is available at:
https://github.com/pepuscz/passwd