Back to skill

Security audit

1Password Web UI

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real 1Password integration, but it adds broad secret-reading gateway access and contains an artifact-backed command-injection risk that needs review before installation.

Install only after reviewing or patching the backend. Replace shell-string execution with `spawn` or `execFile`, restrict gateway access to trusted local callers, use least-privilege 1Password tokens, avoid exposing the gateway or Connect API to untrusted networks, and treat RPC responses, stdout, logs, and mapping files as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes capabilities that involve environment variables, network connectivity, and shell/CLI execution, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: operators or automated tooling may underestimate the skill's ability to access secrets infrastructure or invoke external components.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The helper exposes direct secret retrieval and vault/item enumeration capabilities, which materially expand access beyond a UI status/integration role. In an agent skill context, this increases the attack surface because any component able to invoke the helper can inventory sensitive assets and fetch credential material programmatically.

Context-Inappropriate Capability

Low
Confidence
77% confidence
Finding
The status output includes account URL/UUID and email address, which are not strictly necessary to determine whether 1Password is connected. This creates avoidable identity and environment disclosure that can help an attacker profile the target setup.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The instructions show `OP_CONNECT_TOKEN=your-connect-token` in a configuration example without explicitly warning that this value is a highly sensitive secret that must not be committed, logged, or shared. In an installation guide for a secrets-management integration, this omission can lead users to place the token in plaintext Docker Compose files or source control, exposing broad access to stored secrets.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `1password.readSecret` RPC returns raw secret values to any caller of the gateway method, and the code shows no authorization, caller verification, or scope restriction around that operation. In this skill context, the backend is specifically managing secrets for other skills, so exposing a generic secret-read endpoint materially increases the risk of unintended secret exfiltration if an untrusted UI component, plugin, or skill can invoke gateway RPCs.

Missing User Warnings

Low
Confidence
92% confidence
Finding
`opCommand` constructs a shell command string using `args.join(" ")` and passes it to `exec`, so any attacker-controlled argument containing shell metacharacters can lead to command injection. Multiple RPC handlers pass user-supplied values such as `account`, `vault`, `item`, and `field` into CLI arguments, making this especially dangerous because it can result in arbitrary command execution on the gateway host in addition to secret access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The read command prints secret values directly to stdout, which can leak credentials into logs, terminal history capture, agent transcripts, telemetry, or downstream tools. In an automation environment, stdout is often broadly observable, making raw secret emission a significant exposure path.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
reference/1password-backend.ts:25