1password

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward 1Password CLI helper, but it can handle real secrets so users must review commands that display or write them.

Install this only if you want an agent to help operate 1Password CLI. Review any command that reads a secret, uses --no-masking, or writes output such as key.pem or config.yml; avoid logged terminals and CI, protect generated files, exclude them from source control and backups, and remove them when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The examples demonstrate writing or materializing sensitive secret data into local files and rendered config output without any warning about filesystem exposure, permissions, cleanup, or accidental inclusion in backups and source control. In a secrets-management skill, normalized examples strongly influence user behavior, so showing file output for private keys and injected configs increases the chance that users persist secrets insecurely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal