ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gateway Env Injector

v1.0.0

Safely inject API keys from 1Password into macOS LaunchAgent plists using PlistBuddy. Use when running OpenClaw on macOS and storing secrets in 1Password — a...

0· 306·1 current·1 all-time
byNissan Dookeran@nissan
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, required binaries (op, bash), and primaryEnv (OP_SERVICE_ACCOUNT_TOKEN) align with the actual behavior: the script reads secrets via the 1Password CLI and injects them into a LaunchAgent plist used by the OpenClaw gateway. The set of provider keys (OpenAI, Anthropic, Gemini, Mistral, HF, optional Voyage) are plausible for a gateway process.
!
Instruction Scope
SKILL.md and the included script instruct the agent to read a local token file (~/.config/openclaw/.op-service-token), call 'op read' for multiple items, and use /usr/libexec/PlistBuddy to add string entries into the gateway plist's EnvironmentVariables, then restart the LaunchAgent. The skill's text claims it 'avoids plaintext keys on disk', but the script writes secrets (including OP_SERVICE_ACCOUNT_TOKEN) into the plist file—creating persistent plaintext secrets on disk, which contradicts the stated security goal and increases exposure.
Install Mechanism
Instruction-only skill with a bundled Bash script; no remote downloads or install steps. The script is executed locally, so there is no high-risk install mechanism (no external archives or shortener URLs).
!
Credentials
Requesting OP_SERVICE_ACCOUNT_TOKEN is expected for reading 1Password. However, the script writes that same service-account token into the LaunchAgent plist, exposing the token to any process that can read the plist or the process environment. Injecting the service account token into the gateway may be unnecessary and disproportionate; other requested secrets (provider API keys) are reasonable for a gateway but also create persistent on-disk copies.
Persistence & Privilege
The skill is not always: true and is user-invocable; it restarts a LaunchAgent (expected for its purpose) but does not modify other skills or system-wide agent settings. It does create persistent changes to a LaunchAgent plist (intended), which is within scope but increases long-term exposure of secrets.
What to consider before installing
This skill largely does what it says — it reads secrets from 1Password and writes them into the OpenClaw gateway's LaunchAgent plist. Important considerations before installing: - The script contradicts its claim of 'avoiding plaintext keys on disk' by writing secrets (including the OP_SERVICE_ACCOUNT_TOKEN) into the plist at ~/Library/LaunchAgents/ai.openclaw.gateway.plist. That plist is stored on disk and may be readable by processes or users with access to your account. If your goal is to avoid persistent plaintext secrets, this approach is not achieving that. - Consider whether the gateway truly needs the 1Password service account token in its environment. If not required, remove injecting OP_SERVICE_ACCOUNT_TOKEN from the script to reduce blast radius. - Ensure the 1Password service account has minimal, read-only scope and rotate it regularly. Use strict filesystem permissions on ~/.config/openclaw/.op-service-token and on the plist file. - Review whether you prefer ephemeral session-based access (op session tokens) rather than storing a persistent token file under ~/.config/openclaw. - Be aware the script restarts the LaunchAgent (it will run the gateway with the injected env vars). Also note it sets OTLP_ENDPOINT to localhost:4317 (telemetry) and writes SHERPA paths—ensure those values are intended. - If you want stronger guarantees against on-disk secrets, investigate alternatives such as: having the gateway integrate with 1Password at runtime, using macOS keychain APIs, or using launchctl setenv for ephemeral environment settings (though that has its own limits). If you proceed, audit the plist file permissions after a run, limit the service account privileges, and consider removing injection of the OP_SERVICE_ACCOUNT_TOKEN from the script.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔐 Clawdis
Binsop, bash
EnvOP_SERVICE_ACCOUNT_TOKEN
Primary envOP_SERVICE_ACCOUNT_TOKEN
latestvk97dn7tjjdjt7j1jbgzrgtq96s82ctgw
306downloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0
Nissan Dookeran@nissan
latest
Download

Gateway Environment Injector

Bake secrets from 1Password into macOS LaunchAgent plists without leaving plaintext keys on disk. Uses op read to fetch secrets and /usr/libexec/PlistBuddy to inject them directly into the plist's EnvironmentVariables block.

Why This Exists

  • launchctl setenv doesn't inject into a plist's own EnvironmentVariables block
  • Environment variables in .zshrc aren't available to LaunchAgents
  • Plaintext key files are a security risk
  • 1Password service accounts provide read-only, rotatable access

Usage

bash scripts/inject-gateway-env.sh

Reads each key from 1Password, injects into the gateway plist, then restarts the service.

What It Injects

Configurable list of op://Vault/Item/field references mapped to environment variable names. Modify the script's KEYS array for your setup.

Key Lesson

Changing the Node binary path (even to a symlink) can silently revoke macOS TCC permissions. Always keep the gateway plist locked to the Homebrew Cellar path, not an NVM symlink.

Files

  • scripts/inject-gateway-env.sh — Injection script with 1Password integration

Comments

Loading comments...