Secure Autofill
WarnAudited by ClawScan on May 10, 2026.
Overview
Secure Autofill is coherent for 1Password login autofill, but it gives an agent high-impact credential-fill and login authority without clear per-site confirmation or vault scoping.
Only install this if you intentionally want OpenClaw to use 1Password-backed autofill. Before enabling it, restrict the 1Password token to the smallest needed vault/items, protect env files, keep vault tools off the global allowlist unless needed, and require a user confirmation for the website, item title, fields, OTP use, and submit action on each login.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken page, field mapping, or credential choice could cause the agent to log into an unintended account or expose access to a website session.
The instructions let the agent fill secrets into a page, submit the login, and retry another candidate without a stated human confirmation gate for the target site or chosen vault item.
Login workflow (agent-driven): ... If credential field found: ... Call vault_fill with mapping ... Click submit button ... If error: Decide: retry_mode=simple or next_candidate
Require explicit user confirmation before every vault_fill and before clicking submit, including the site domain, 1Password item title, fields to fill, and whether OTP will be used.
If configured with a broad 1Password token, the agent may be able to use many saved credentials, not just one intended login.
The skill uses a 1Password service account token or vault integration to access credential items, but the provided metadata declares no primary credential, env var, or scoped permission boundary.
Typical keys: DISPLAY, WAYLAND_DISPLAY, OP_SERVICE_ACCOUNT_TOKEN ... vault_suggest — list 1Password items ... vault_fill — fill DOM fields with secrets
Use a least-privilege 1Password service account limited to specific vaults/items, declare the credential requirement clearly, and avoid enabling vault tools globally unless needed.
Running the setup commands changes system package sources and installs software on the machine.
The skill documents adding Google's apt repository and installing Chrome with sudo. This is disclosed and aligned with non-headless browser use, but it is still a privileged external install step.
wget -qO- https://dl.google.com/linux/linux_signing_key.pub | sudo gpg --dearmor ... sudo apt update && sudo apt install -y google-chrome-stable
Review the commands before running them, verify the Google package source, and avoid running sudo setup steps through the agent unless you intend those system changes.