MH 1password
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: mh-1password Version: 1.0.0 The skill bundle is designed for secure integration with the 1Password CLI. It uses standard tools like `brew` for installation and provides explicit instructions for the AI agent to use `tmux` for all `op` commands, framed as a security measure to manage sessions and prevent re-prompts. Crucially, `SKILL.md` includes strong 'Guardrails' instructing the agent to 'Never paste secrets into logs, chat, or code' and to 'Prefer `op run` / `op inject` over writing secrets to disk'. There is no evidence of data exfiltration, malicious execution, persistence, or prompt injection with harmful intent. The examples provided are legitimate 1Password CLI commands, and any potentially risky features (like `op run --no-masking`) are directly addressed by the security guardrails.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After authorization, the agent could access sensitive credentials available to the signed-in 1Password account if the task or later instructions are too broad.
The skill is explicitly designed to authenticate to 1Password and read or use vault secrets. That is purpose-aligned, but the artifacts do not clearly restrict which account, vault, item, or secret the agent may access.
description: Set up and use 1Password CLI (op)... reading/injecting/running secrets via op... Verify access inside tmux: `op whoami` (must succeed before any secret read).
Use this only with explicit user direction. Require confirmation for each `op read`, `op run`, `op inject`, account, vault, item, and output destination; prefer least-privilege or test vault access.
A secret could be exposed in terminal output, agent-visible logs, chat, or local files if these examples are used carelessly.
The examples document raw op commands that can print secrets, disable masking, or write secrets to local files. They are not auto-run, but they are high-impact patterns without accompanying approval or destination checks.
`op read --out-file ./key.pem op://app-prod/server/ssh/key.pem`; `op run --no-masking -- printenv DB_PASSWORD`; `op inject -i config.yml.tpl -o config.yml`
Avoid `--no-masking` and printing secrets. Ask before writing any secret file, verify paths, and prefer masked or process-local secret injection.
Secrets printed during a tmux session could be copied into the agent conversation or retained in logs/context.
The skill relies on capturing tmux pane output for op commands and also warns not to paste secrets into logs or chat. If secret-producing commands are captured, sensitive values may enter the agent context despite the guardrail.
`tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200` and `Never paste secrets into logs, chat, or code.`
Do not capture panes after secret-producing commands. Keep secret values out of chat, logs, summaries, and saved context; use commands that avoid printing secret material.