critical
suspicious.env_credential_access
- Location
- reference/1password-backend.ts:25
- Finding
- Environment variable access combined with network send.
1Password Web UI
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
A malicious or malformed RPC parameter could execute unintended local shell commands as the gateway user.
Why it was flagged
A gateway RPC parameter can be added to the op CLI argument list, and the command is executed through a shell with raw joined arguments instead of an argument array.
Skill content
const { account } = params as { account?: string }; const result = await cliSignin(account); ... if (account) args.push("--account", account); ... return execAsync(`"${opPath}" ${args.join(" ")}`, { timeout });Recommendation
Replace execAsync shell strings with spawn/execFile argument arrays, validate account/vault/item/field inputs, and restrict who can call these RPC methods.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Any code or skill with access to the gateway RPC surface may be able to retrieve secrets available to the signed-in 1Password session or Connect token.
Why it was flagged
The skill intentionally exposes a gateway method for reading 1Password secrets, with safety depending on gateway exposure rather than an artifact-shown per-item approval or allowlist.
Skill content
"1password.readSecret" ... "Reads secrets from 1Password via CLI or Connect API when requested by skills" ... "readSecret IS available via gateway RPC for skill use. Security relies on: (1) user being signed into 1Password, (2) gateway being loopback-only."
Recommendation
Use a limited-scope 1Password Connect token where possible, protect the gateway strictly, add caller authorization and explicit user approval for secret reads, and restrict reads to configured mappings.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Users have less provenance information to verify the origin of a sensitive gateway extension.
Why it was flagged
The registry metadata does not provide clear source provenance for code that is intended to be copied into the core gateway and handle secrets.
Skill content
Source: unknown; Homepage: none
Recommendation
Review the included code before installing, prefer a verified source repository, and keep a record of the exact files copied into OpenClaw.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
If the mapping file is changed unexpectedly, a skill could use the wrong credential, and item/vault names may reveal sensitive context.
Why it was flagged
The skill stores persistent mappings that influence which 1Password items future skills use, even though it says the file contains references rather than secret values.
Skill content
"mapping_storage": { "description": "Stores skill→1Password mappings in ~/clawd/config/1password-mappings.json", ... "mitigation": "File contains references only (item/vault names), not actual secrets" }Recommendation
Keep the mapping file permissions restrictive, review mappings periodically, and avoid granting write access to untrusted skills or users.