Skillv1.0.1

ClawScan security

1password · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions generally match its stated purpose (using the 1Password CLI), but there are a few inconsistencies and a small risk that terminal output capture could expose secrets — you should review those before installing.
Guidance: This skill appears to be what it says: runtime instructions for using the 1Password CLI. Before installing, confirm a few things: (1) reconcile the metadata mismatch — does the skill expect to install the CLI via brew or not? (2) understand that the skill runs `op` inside a tmux session and even captures the tmux pane; make sure the agent/environment will not log or transmit pane contents (which could include secrets). (3) verify you trust the agent to perform interactive sign-in flows with your desktop 1Password app. If you want to proceed, ensure 1Password CLI is installed from an official source, that tmux socket paths are confined to a safe directory, and that any captured terminal output is handled securely (never sent to chat/logs). If you need higher assurance, request the author clarify the install instructions and explicitly forbid capturing or exporting secret-bearing output.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (1Password CLI usage) aligns with the runtime instructions which call `op`. However the SKILL.md contains embedded metadata that advertises a brew install (1password-cli) even though the registry install spec lists none — this mismatch should be reconciled. The required use of tmux for all `op` interactions is unusual but can be justified by terminal/auth flow concerns.
Instruction Scope: concernInstructions ask the agent to create tmux sockets, send keys to a tmux session, run interactive `op signin`/`op whoami`/`op vault list`, and then capture the tmux pane (capture-pane). Capturing pane output can expose secrets if any `op` command prints sensitive data; the document admonishes not to paste secrets but does not explicitly prevent capturing or transmitting pane contents. The SKILL.md also references an environment variable (CLAWDBOT_TMUX_SOCKET_DIR) that is not declared in the skill metadata.
Install Mechanism: noteThis is an instruction-only skill (no install spec in registry, no code files), which is lower-risk. However the SKILL.md embedded metadata proposes a brew install entry for 1password-cli; that suggestion isn't reflected in the registry's install section — the discrepancy should be clarified. No remote archives or downloads are requested.
Credentials: noteThe skill does not request credentials or config paths in the registry metadata, which is appropriate for a helper that relies on user-interactive `op` sign-in and desktop-app integration. It references CLAWDBOT_TMUX_SOCKET_DIR and TMPDIR defaults in examples (not declared as required), and will create socket paths under /tmp — benign but worth noting.
Persistence & Privilege: okThe skill is not always-enabled, does not request elevated persistence, and contains no install hooks that would alter other skills or global configuration. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.