1password.Old

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This 1Password CLI skill is mostly purpose-aligned, but it includes copyable examples that can reveal secrets directly in terminal output or files.

Review this skill carefully before installing. It is not showing hidden code or external exfiltration, but users should avoid the `--no-masking` and `printenv` example, avoid writing secrets to disk unless explicitly needed, set restrictive file permissions for any secret output, and clean up plaintext secret files immediately.

SkillSpector (2)

By NVIDIA

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The examples explicitly demonstrate reading secrets, disabling masking, and injecting secrets into files without any warning about disclosure risks, shell history, stdout leakage, or filesystem persistence. In a secrets-management skill, users are likely to copy these commands verbatim, which can cause sensitive values to be exposed in terminals, logs, CI output, or plaintext config files.

Env Variable Harvesting

High

Category: Data Exfiltration
Content: ## Run - `export DB_PASSWORD="op://app-prod/db/password"` - `op run --no-masking -- printenv DB_PASSWORD` - `op run --env-file="./.env" -- printenv DB_PASSWORD` ## Inject
Confidence: 97% confidence
Finding: printenv DB_PASSWORD

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal