Skillv0.2.2

ClawScan security

Wip 1password Private · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 4:04 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a 1Password service-account based plugin as described, but its manifest/inventory omits the sensitive file/credential requirements and there are a few metadata/install inconsistencies you should resolve before trusting it with secrets.
Guidance: Key things to check before installing or enabling this skill: - Metadata mismatch: SKILL.md and code expect a 1Password service-account token at ~/.openclaw/secrets/op-sa-token (or via OP_SERVICE_ACCOUNT_TOKEN), but the registry metadata lists no required env/config or primary credential. Treat that as a red flag until resolved. Ask the publisher to update the manifest to explicitly declare tokenPath and any env vars required. - Inspect the source before use: review src/index.ts and mcp-server.mjs (both present in the package) to confirm they only call the official 1Password SDK or invoke the `op` CLI as documented, and that there are no unexpected network endpoints, logging of secrets, or attempts to write secrets to disk. - Minimize service-account permissions: create a service account scoped only to the specific custom vaults and use read_items only unless you explicitly need write_items. Prefer read-only tokens for routine use and only allow write_items if you trust the code and need write operations. - Allowlist tools and limit autonomous access: ensure agent tool allowlisting is restrictive (op_read_secret, op_list_items, op_write_secret should be optional and only granted when necessary). Avoid allowing the skill to run broadly across agents without review. - Test in isolation: enable the plugin in a test environment or VM first, with a service account limited to a non-production vault. Verify behavior with a dry-run and audit logs. - Verify package provenance: the SKILL.md references npm package @wipcomputer/wip-1password and a GitHub repo. Confirm the package on npm and its source repository match the files you reviewed and are published by the expected maintainer. If the published package differs from the repo contents, treat it as suspicious. - Rotation and incident plan: be ready to rotate any tokens you provide for testing. If you later grant this skill access to production vaults, plan and document a token rotation strategy. If you want, I can list the exact lines in src/index.ts and mcp-server.mjs to review for calls to external endpoints, subprocess usage, or any places secrets are written or logged (I can parse the files and summarize suspicious code patterns).

Review Dimensions

Purpose & Capability: concernThe code and SKILL.md describe a coherent 1Password secrets plugin (resolve op:// refs, read/write secrets, list vault items) which matches the stated purpose. However the registry metadata claims no required env vars/config paths/primary credential, while the runtime instructions and developer docs require a service-account token stored at ~/.openclaw/secrets/op-sa-token (and sometimes reference OP_SERVICE_ACCOUNT_TOKEN). That omission is an inconsistency: a secrets plugin legitimately needs the service account token and a tokenPath config, but the skill metadata does not declare them.
Instruction Scope: okThe runtime instructions focus on resolving op:// references, providing agent tools (op_read_secret, op_list_items, op_write_secret), and registering a startup resolver — all within the stated scope. The SKILL.md and docs instruct the plugin to read a service-account token from disk and to set process.env.OPENAI_API_KEY at startup; they also give developer examples that shell out to the `op` CLI. Those I/O and subprocess actions are expected for this plugin type, though they are sensitive because they handle secrets.
Install Mechanism: noteThere is no registry-level install spec recorded, yet the SKILL.md includes an openclaw.install section and npm install instructions for @wipcomputer/wip-1password (an ordinary npm package). Installing via npm is reasonable. There are no downloads from arbitrary URLs or obfuscated installers in the files provided.
Credentials: concernThe skill requires access to a 1Password service account token and will read a token file at ~/.openclaw/secrets/op-sa-token (and/or use OP_SERVICE_ACCOUNT_TOKEN when invoking `op`). Those sensitive access details are not declared in the registry metadata (no required env vars/config paths/primary credential). The plugin also sets process.env.OPENAI_API_KEY from a retrieved secret, which is expected for its purpose but increases the blast radius if misconfigured. Ensure the service account has minimal permissions (read-only for configured vaults) and that the token path is acceptable to you.
Persistence & Privilege: okalways: false and model invocation/autonomous use are default. The plugin registers a startup resolver service (normal for a plugin that mutates runtime config) but does not request permanent platform-wide privileges in the manifest. It does read a user-local token file and modifies process.env for the process — expected behavior for a secrets resolver but should be considered sensitive.