ClawHub
Back to skill

Security audit

Wip 1password Private

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs Review because it gives AI direct read/write access to 1Password secrets and has weak safeguards around exposing or changing credentials.

Install only with a least-privilege 1Password service account scoped to a dedicated vault. Avoid granting write_items unless you specifically need agent-managed secrets, review every write request, and do not expose this MCP server to untrusted prompts or workflows until command construction and authorization controls are tightened. Treat the local ops_ token like a production credential and rotate it if it appears in logs, shell history, or shared files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The README states secrets are never written to environment-like surfaces, but it explicitly instructs setting resolved secrets in process.env at startup. Environment variables are broadly accessible to in-process code and may be exposed through crash reports, debugging tools, child processes, or accidental logging, so the documentation materially understates the exposure boundary.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The security section claims secrets are never cached, while the developer guidance recommends caching resolved secret values for the session. This inconsistency can cause operators and downstream developers to adopt weaker handling assumptions than are actually true, increasing the chance of overexposure during debugging, memory inspection, or reuse across components.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation presents the skill as a secret-reading capability, then later instructs implementers to add an `op_write_secret` tool. This mismatch can cause operators or allowlist reviewers to grant access under the false assumption that the plugin is read-only, expanding the blast radius to secret tampering or persistence changes.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The manifest description says the plugin reads secrets via the SDK, but the implementation instructions later add secret-writing functionality. Security reviewers and users often rely on manifest metadata for trust decisions, so inaccurate capability labeling can lead to underestimating the risk of installing or allowlisting the plugin.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The tool explicitly returns the full secret value in its result payload even though its own description warns that the value should never be logged or echoed. In an agent/plugin environment, tool outputs are commonly surfaced to the model, transcripts, logs, or downstream integrations, so this creates a direct secret-exfiltration path if the tool is invoked by an untrusted prompt or exposed workflow.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The CLI command is described as a dry run, but it actually resolves live op:// references and reads real secrets before printing redacted previews of them. Even with redaction, this performs real secret access on user-supplied files and may mislead operators into believing no sensitive material is being touched.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly exposes secret-reading and secret-writing capabilities against a 1Password vault, including creating new secrets, but does not present a clear warning, confirmation requirement, or safety guidance around modifying sensitive data. In a secrets-management skill, write access materially increases the chance of accidental credential overwrite, secret sprawl, or unauthorized persistence if an agent is misdirected or compromised.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The documentation exposes a secret-writing capability for agents without emphasizing the risk of modifying or poisoning stored credentials. In an agent setting, write access to a secrets manager materially increases the blast radius: a compromised or misaligned agent could replace API keys, persist attacker-controlled credentials, or sabotage downstream services.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README exposes a secret-writing capability that lets agents create or update stored credentials, but it does not prominently warn users that enabling write_items allows runtime mutation of credential state. In an agent context, write access materially raises the risk of persistence, credential replacement, sabotage, or planting attacker-controlled secrets for later use.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instructions tell users to store a long-lived service account token locally, but they do not prominently emphasize that this token is a highly sensitive credential with durable access to the configured vault. Without clear warning, users may mishandle backups, sync the file, expose it to other tooling, or underestimate the consequences of compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide instructs users to store a long-lived 1Password service account token in a predictable file path on disk, but does not prominently warn that this credential grants ongoing vault access and must be protected like a root secret. Disk persistence increases exposure through backups, developer workstations, endpoint compromise, and accidental inclusion in support bundles or home-directory sync tools.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions create a non-expiring service account token with `--expires-in 0`, which produces an indefinite credential for secret access. Long-lived credentials materially increase the chance that a leaked token remains valid long enough to be abused for persistent unauthorized access.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The document gives step-by-step instructions to create, update, and delete secrets in a real 1Password vault without an explicit warning that these are destructive credential-management actions. In an agent-skill context, operational instructions involving live secret stores increase the chance of unintended modification of production secrets or vault state.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document explicitly states that sensitive tokens remain in plaintext on disk in auth-profiles.json, but frames this as a limitation without a strong security warning or compensating controls. That normalizes an insecure storage condition and could lead operators to leave high-value credentials exposed to local compromise, backup leakage, or accidental sharing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs users to persist a live 1Password service-account token to a local file and even demonstrates doing so with shell redirection. Although it applies chmod 600, the documentation does not clearly warn that this is a long-lived credential with access to secrets and that writing it to disk increases exposure through backups, shell history mishandling, endpoint compromise, and accidental disclosure.

Missing User Warnings

Low
Confidence
97% confidence
Finding
The code builds a shell command with untrusted input and passes it to execSync as a single string, which enables command injection. Parameters such as vault, item, and field can contain shell metacharacters; even though some values are quoted, command substitution inside double quotes can still execute arbitrary commands, potentially exposing the 1Password service account token or allowing arbitrary code execution under the server's privileges.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest description includes broad trigger phrases such as "get the API key," "read secret," and "what's the token for," which can cause the skill to activate during ordinary conversation about credentials rather than only on explicit, high-confidence secret-management requests. In a skill with direct read/write access to a 1Password service account, overbroad activation increases the chance of unnecessary secret access, unintended disclosure workflows, or privilege use without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The write tool can create or modify vault items immediately based solely on tool parameters, with no confirmation, policy gate, or runtime warning. In an agent setting, prompt injection or mistaken automation could cause unauthorized rotation, corruption, or planting of credentials in the secrets store.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
On service startup, the plugin silently resolves a specific secret and injects it into process.env, making the credential broadly accessible to any code running in the same process. This expands the secret's exposure surface beyond the plugin and creates implicit behavior that users may not realize is occurring.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal