1Password Web UI
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: 1password-ui Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability in `reference/1password-backend.ts`. The `opCommand` function uses `node:child_process.execAsync` with `args.join(" ")`, which is vulnerable to shell metacharacters if user-controlled input (e.g., `itemRef`, `field`, or `vault` from RPC parameters) is passed. Specifically, `cliReadSecret` constructs an `op://` URI string that is then passed as a single argument to `opCommand`, making it susceptible to injection if the string contains shell commands. Additionally, the skill's installation instructions in `SKILL.md` and `INSTALL_INSTRUCTIONS.md` require the AI agent to perform highly privileged actions, including modifying core OpenClaw source code and executing build/restart commands, which, while necessary for the skill's function, represent a significant attack surface.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed RPC parameter could execute unintended local shell commands as the gateway user.
A gateway RPC parameter can be added to the op CLI argument list, and the command is executed through a shell with raw joined arguments instead of an argument array.
const { account } = params as { account?: string }; const result = await cliSignin(account); ... if (account) args.push("--account", account); ... return execAsync(`"${opPath}" ${args.join(" ")}`, { timeout });Replace execAsync shell strings with spawn/execFile argument arrays, validate account/vault/item/field inputs, and restrict who can call these RPC methods.
Any code or skill with access to the gateway RPC surface may be able to retrieve secrets available to the signed-in 1Password session or Connect token.
The skill intentionally exposes a gateway method for reading 1Password secrets, with safety depending on gateway exposure rather than an artifact-shown per-item approval or allowlist.
"1password.readSecret" ... "Reads secrets from 1Password via CLI or Connect API when requested by skills" ... "readSecret IS available via gateway RPC for skill use. Security relies on: (1) user being signed into 1Password, (2) gateway being loopback-only."
Use a limited-scope 1Password Connect token where possible, protect the gateway strictly, add caller authorization and explicit user approval for secret reads, and restrict reads to configured mappings.
Users have less provenance information to verify the origin of a sensitive gateway extension.
The registry metadata does not provide clear source provenance for code that is intended to be copied into the core gateway and handle secrets.
Source: unknown; Homepage: none
Review the included code before installing, prefer a verified source repository, and keep a record of the exact files copied into OpenClaw.
If the mapping file is changed unexpectedly, a skill could use the wrong credential, and item/vault names may reveal sensitive context.
The skill stores persistent mappings that influence which 1Password items future skills use, even though it says the file contains references rather than secret values.
"mapping_storage": { "description": "Stores skill→1Password mappings in ~/clawd/config/1password-mappings.json", ... "mitigation": "File contains references only (item/vault names), not actual secrets" }Keep the mapping file permissions restrictive, review mappings periodically, and avoid granting write access to untrusted skills or users.