1password
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill installs the official 1Password CLI (op) via Homebrew, which is a well-known and trusted package management service.
- [SAFE]: Employs tmux sessions as defined in SKILL.md to handle CLI authentication requirements and maintain session state securely. This prevents credential-related prompts from failing or leaking into the shell's command history.
- [SAFE]: Includes explicit guardrails in SKILL.md that instruct the agent to avoid writing secrets to disk and to never output sensitive vault data into chat or logs.
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it ingests data from 1Password vaults which is then processed by the agent.
- Ingestion points: Secrets retrieved from the 1Password vault via
op reador template files used inop inject(evidence in references/cli-examples.md). - Boundary markers: There are no instructions to use delimiters or ignore instructions found within the retrieved secret content.
- Capability inventory: The skill can execute commands with injected secrets via
op runand write processed templates to the filesystem viaop inject(evidence in references/cli-examples.md). - Sanitization: No sanitization or validation of the retrieved vault content is performed before the data is integrated into the agent's workflow.
Audit Metadata