1password Hardened
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent 1Password CLI helper, but it intentionally helps an agent authenticate to 1Password and handle vault secrets, so users should scope requests carefully.
Install only if you want the agent to help with 1Password CLI workflows. Keep requests specific, authorize only the needed account, avoid printing raw secrets, and verify any secret-reading command before it runs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized, the agent may be able to access secrets available to the selected 1Password account.
The skill instructs the agent to authenticate to a 1Password account and operate under that account context. This is expected for the purpose, but it is sensitive delegated access.
Sign in / authorize inside tmux: `op signin` ... Verify access inside tmux: `op whoami` ... If multiple accounts: use `--account` or `OP_ACCOUNT`.
Authorize only the intended account, give the agent exact vault/item/field targets, and sign out or close the tmux session when finished.
Mistyped or overly broad commands could list or access more 1Password data than intended.
The skill uses shell/tmux automation to run `op` commands. This is central to the stated workflow and includes safety constraints, but users should still review commands that touch secrets.
REQUIRED: create a fresh tmux session for all `op` commands ... tmux -S "$SOCKET" send-keys ... "op vault list" Enter
Review secret-related commands before execution and keep requests narrowly scoped to the specific item or field needed.
Secrets could be exposed if printed into chat, logs, tmux captures, or files.
The skill handles resolved secrets and explicitly warns against putting them into persistent chat/log/code contexts or files.
Never paste secrets into logs, chat, or code. Prefer `op run` / `op inject` over writing secrets to disk.
Prefer `op run` or `op inject`, avoid asking the agent to print secret values, and keep command output masked whenever possible.
The agent may lack the referenced vetted examples and could need to rely on official documentation or user guidance.
The SKILL references local documentation files, but the provided manifest contains only `SAFETY.md` and `SKILL.md`, so those referenced files were not available for review.
`references/get-started.md` (install + app integration + sign-in flow) ... `references/cli-examples.md` (real `op` examples)
Verify any install or `op` command against the official 1Password CLI documentation before running it.
A user might assume all safety-report guardrails are active in the runtime skill instructions.
The safety document describes a no-masking guardrail as applied, but the reviewed SKILL.md content does not explicitly include that exact prohibition. This is a documentation consistency issue rather than evidence of malicious behavior.
Default Guardrails ... Applied in SKILL.md ... Never use `op run --no-masking`
Before relying on the skill for secret-heavy workflows, add or verify an explicit rule forbidding unmasked secret dumps such as `op run --no-masking -- printenv`.