Env credential access
Critical
- Finding
- Environment variable access combined with network send.
1Password Web UI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a real 1Password integration, but it gives OpenClaw broad secret-reading power and includes an unsafe command-execution pattern that should be reviewed before installation.
Install only if you are comfortable giving the OpenClaw gateway access to 1Password. Before installing, review and fix the unsafe `execAsync` command construction, restrict the gateway to trusted callers, use least-privilege 1Password Connect tokens or vault access, and carefully monitor the credential mapping file.
Static analysis
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A skill or agent with gateway access could potentially request 1Password secrets beyond what the user intended to expose.
Why it was flagged
The package explicitly says secret reading is available through gateway RPC for skills, but the artifacts do not show per-skill authorization, per-vault scoping, per-secret approval, or audit controls.
Skill content
"secret_handling": "The UI never calls readSecret. However, readSecret IS available via gateway RPC for skill use. Security relies on: (1) user being signed into 1Password, (2) gateway being loopback-only."
Recommendation
Only enable this with a locked-down gateway, explicit per-skill allowlists, least-privilege 1Password Connect tokens, user approval for secret reads, and audit logging.
What this means
A malicious or malformed RPC parameter could cause unintended shell command execution on the OpenClaw gateway host.
Why it was flagged
A gateway parameter can be placed into a shell command string without shell escaping. Arguments such as account, vault, item, or field names should be passed as an argv array, not joined into a shell command.
Skill content
if (account) args.push("--account", account); ... return execAsync(`"${opPath}" ${args.join(" ")}`, { timeout });Recommendation
Replace `execAsync` string execution with `execFile` or `spawn` using an argument array, and validate account, vault, item, and field parameters before use.
What this means
If the gateway is reachable by an unintended local process, skill, browser context, or remote user, 1Password metadata or secrets could be accessed.
Why it was flagged
The sensitive 1Password operations are exposed as gateway RPC methods, and the artifact relies on the surrounding gateway being protected rather than showing caller identity, origin, or method-level permission checks.
Skill content
"gateway_exposure": "All 1password.* methods are gateway RPC calls. Protect your gateway accordingly."
Recommendation
Confirm the gateway is loopback-only or authenticated, restrict which callers can invoke `1password.*` methods, and especially gate `1password.readSecret`.
What this means
Installing changes the OpenClaw application itself, not just a standalone skill file.
Why it was flagged
The installation path copies skill-provided code into core OpenClaw source and restarts the gateway. This is disclosed and purpose-aligned, but it is a persistent source modification.
Skill content
cp ~/clawd/skills/1password-ui/reference/1password-backend.ts ~/clawdbot/src/gateway/server-methods/1password.ts ... pnpm build && pnpm ui:build && clawdbot gateway restart
Recommendation
Review the copied files, back up the OpenClaw source tree, and apply the edits manually or through a trusted patch workflow.
What this means
If the mapping file is altered, a skill may use the wrong 1Password item or field in later runs.
Why it was flagged
The skill stores persistent mappings that influence future credential lookup. The file is documented as reference-only, but those references can still affect which secret a skill receives.
Skill content
"mapping_storage": { "description": "Stores skill→1Password mappings in ~/clawd/config/1password-mappings.json", "paths": ["~/clawd/config/1password-mappings.json"], "mitigation": "File contains references only (item/vault names), not actual secrets" }Recommendation
Keep the mapping file permission-restricted, review mapping changes, and treat vault/item/field names as sensitive configuration.