1password
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (SAFE): The skill automates the installation of the official '1password-cli' using the Homebrew package manager ('brew install 1password-cli'). This is considered a trusted source and standard installation method.
- [COMMAND_EXECUTION] (LOW): The workflow mandates the use of 'tmux' to wrap 'op' command execution. This involves dynamic command assembly and interaction with a persistent TTY session. While used here to manage authentication states, it represents a complex execution path.
- [DATA_EXFILTRATION] (LOW): The skill's purpose is to retrieve sensitive data from 1Password vaults. Although it includes a guardrail stating 'Never paste secrets into logs, chat, or code', the 'op run --no-masking' example in 'cli-examples.md' explicitly disables secret masking, which could lead to accidental exposure in agent logs if misused.
- [PROMPT_INJECTION] (LOW): This skill is susceptible to indirect prompt injection.
- Ingestion points: Content retrieved from 1Password items via 'op read', 'op run' (environment variables), or 'op inject' (template processing).
- Boundary markers: None; retrieved data is treated as trusted content.
- Capability inventory: The skill allows command execution via 'tmux', file writing via 'op inject -o', and the underlying 'op' CLI performs network operations to sync vaults.
- Sanitization: There is no evidence of sanitization or validation performed on the data fetched from the external 1Password service before it is processed by the agent.
Audit Metadata