1Password Browser Login
WarnAudited by ClawScan on May 10, 2026.
Overview
Review needed: this is a coherent 1Password login helper, but it gives the agent broad password-manager and authenticated-browser authority that is not tightly scoped or declared in metadata.
Install or invoke this only if you are comfortable giving the agent controlled access to 1Password-backed logins. Use a least-privileged 1Password service account, limit it to the exact vault/items needed, confirm each vault/item/site/action before retrieval or browser automation, and avoid using it for financial, administrative, destructive, or public-posting actions without explicit extra approval.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could see 1Password item/vault inventory and retrieve credentials for any vaults the service account can access, then use those credentials to log in to third-party accounts.
The skill relies on a 1Password service-account token and instructs the agent to enumerate items/vaults and fetch item JSON containing username, password, and URL. This is aligned with the stated purpose, but it is high-impact and not tightly bounded to a specific vault or item.
OP_SERVICE_ACCOUNT_TOKEN 已配置在 ~/.zshrc 中 ... op item list --format json ... op vault list --format json ... op item get "<ITEM_NAME>" --vault "<VAULT_NAME>" --format json
Use only with a least-privileged 1Password service account limited to specific vaults/items, require explicit user confirmation of the vault/item/site before retrieval, and declare the required credential and environment variable in metadata.
A mistaken or overly broad instruction could cause the agent to click or download content from a logged-in account and send files back to the user.
The skill uses browser automation with real credentials and combines it with file downloads and local exec-based file movement. These actions are expected for the stated purpose, but they can affect authenticated accounts or expose downloaded data if the user task is ambiguous.
browser act kind=type ref=<密码框> text=<password> ... 下载文件 | browser act kind=click 触发下载 → exec 找到文件移到 workspace → MEDIA
Confirm the target site, account item, and exact post-login task before acting; require extra approval for purchases, deletes, settings changes, posts, or other high-impact authenticated actions.
Invoking the skill may run local shell-startup commands in addition to the intended 1Password CLI command.
The skill repeatedly sources the user's shell startup file before running 1Password CLI commands. This appears intended to load OP_SERVICE_ACCOUNT_TOKEN, but sourcing ~/.zshrc can execute arbitrary shell initialization commands.
source ~/.zshrc 2>/dev/null && op whoami 2>&1
Prefer using a declared environment variable or a minimal credential-loading file rather than sourcing the full shell startup file; review ~/.zshrc before use.
Users may not see the credential and CLI requirements at install or review time unless they read SKILL.md carefully.
The registry metadata does not declare the 1Password CLI, OP_SERVICE_ACCOUNT_TOKEN, or a primary credential, even though SKILL.md requires them. This is an under-declared dependency/credential contract rather than hidden code execution.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Declare the required 1Password CLI binary, OP_SERVICE_ACCOUNT_TOKEN environment variable, and credential purpose in the skill metadata.