Back to skill
Skillv0.1.0
ClawScan security
1Password Cli For Agents · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 11:22 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions correctly describe using the 1Password CLI and a service account token, but the skill metadata does not declare the sensitive OP_SERVICE_ACCOUNT_TOKEN (or any primary credential), which is an important incoherence and a security concern.
- Guidance
- This SKILL.md is coherent in explaining how to use the 1Password CLI, but it fails to declare the sensitive environment variable it requires. Before installing or enabling this skill: 1) Do not provide a broad/owner-level 1Password token — create a Service Account token with the minimum permissions and grant access only to a dedicated vault. 2) Insist the skill metadata explicitly list OP_SERVICE_ACCOUNT_TOKEN as the primary credential (so the platform can surface and protect it). 3) Store the token securely (secret manager or platform-provided secret field), avoid putting it in plaintext .env files, and rotate it regularly. 4) Limit agent autonomy or audit agent actions if you allow autonomous invocation (agents with access to the token can read/write secrets). 5) Test in a restricted environment/vault first and enable logging/auditing of access. These steps will reduce the risk posed by the currently missing metadata and the powerful credential the skill requires.
Review Dimensions
- Purpose & Capability
- noteThe SKILL.md describes a 1Password CLI helper for agents (listing, reading, creating, editing, deleting items) which matches the skill name and purpose. However, the metadata declares no required environment variables or primary credential even though the instructions explicitly require OP_SERVICE_ACCOUNT_TOKEN.
- Instruction Scope
- okInstructions are concrete and scoped to using the 'op' CLI and a service account token to access a dedicated vault. They do not ask the agent to read unrelated system files or other credentials. They do instruct adding OP_SERVICE_ACCOUNT_TOKEN to a .env or environment, and warn not to print secrets.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code — lowest install risk. It sensibly directs users to official 1Password install channels (brew or official docs).
- Credentials
- concernThe instructions require a highly sensitive OP_SERVICE_ACCOUNT_TOKEN (service account token with vault access), but the skill metadata does not declare any required env vars or a primaryEnv. Requesting an all-powerful service token is proportional to the stated functionality only if the token is limited to the specific 'Agent Vault' and least privilege is enforced. The missing declaration in metadata is an inconsistency and increases risk because users or platforms may not realize which secret the skill expects or how it will be used.
- Persistence & Privilege
- okThe skill does not request persistent presence (always: false) and does not ask to modify other skills or system settings. Autonomous invocation is allowed by default on the platform; combined with access to a vault token this increases blast radius but is platform-normal.