ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

1Password Web UI

v1.0.0

1Password UI tab for OpenClaw dashboard. Manage secrets, credential mappings, and auth state from the Control UI.

0· 892·1 current·1 all-time
by@maverick-software
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code: UI views, gateway RPC handlers, and a CLI/Connect helper. Reading secrets (readSecret) and mapping storage are part of its stated capability. However the registry metadata declares no required binaries or env vars even though the code expects the 'op' CLI and optionally OP_CONNECT_HOST/OP_CONNECT_TOKEN for Connect mode — a mismatch between declared requirements and actual code.
!
Instruction Scope
The SKILL.md and INSTALL_INSTRUCTIONS require editing core OpenClaw source files (server-methods, navigation, app state) and restarting the gateway — i.e., the skill modifies the platform's server-side code. The backend exposes a gateway RPC (1password.readSecret) that returns secret values to callers; while the docs say secrets are not shown in the UI, the RPC can deliver secrets to other skills or callers. The instructions assume gateway RPCs are loopback-only; if the gateway is network-accessible, this expands the attack surface.
Install Mechanism
No remote installers or curl|sh pipelines are used; all code is included in the package and installation is manual (copy files, edit code, build). That lowers supply-chain risk compared with remote downloads. The op-helper.py and TypeScript files are local and readable.
!
Credentials
Registry metadata lists no required env vars, but code reads OP_CONNECT_HOST and OP_CONNECT_TOKEN for Connect mode and also relies on the external 'op' binary. Those are reasonable for the feature set, but the omission from the declared requirements is an inconsistency. Also, granting a gateway RPC that can read secrets means other skills or components with access to the gateway could request secret values if the gateway is not properly restricted.
!
Persistence & Privilege
Installation requires modifying core application source files and restarting the gateway, which is inherently high-privilege. The skill adds persistent RPC handlers to the gateway process; combined with the readSecret handler this increases the system-wide privilege surface. The skill is not set always:true, but its server-side handlers will run in the gateway process once installed.
What to consider before installing
This package appears to implement a legitimate 1Password UI integration, but take the following precautions before installing: - Review the backend code (reference/1password-backend.ts and scripts/op-helper.py) yourself — they implement the readSecret RPC and network calls to OP_CONNECT_HOST. Confirm you understand when secrets may be returned and to whom. - Ensure your gateway RPC interface is not reachable from untrusted networks. The skill’s security model depends on gateway RPCs being loopback-only or otherwise strongly access-controlled. - Explicitly verify the presence of the 1Password CLI ('op') on systems that will use CLI mode; for Docker/connect mode, ensure OP_CONNECT_HOST and OP_CONNECT_TOKEN are only set when you intend that mode. The registry metadata does not declare these requirements — treat them as required for functionality. - Because installation requires editing core server files and restarting the gateway, test in an isolated environment or backup the codebase before applying changes. - Restrict permissions on ~/clawd/config/1password-mappings.json (recommended 0600) and audit which skills are allowed to call 1password.* RPCs after installation. If you want to proceed but are unsure, ask the maintainer for an explanation of gateway access controls and a minimal install path (e.g., plugin registration) that avoids editing core server files.

Like a lobster shell, security has layers — review code before you run it.

latestvk973jwr9tbcxbbcre9kehz24gn80yhq8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis

Comments