1Password
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes
tmuxto wrapopCLI interactions. This technique is used to manage interactive authentication prompts (like biometrics or passwords) that require a TTY, which standard agent shell tools often lack.\n- [EXTERNAL_DOWNLOADS]: The documentation references installing the 1Password CLI via Homebrew (brew), a trusted and well-known package management service.\n- [DATA_EXFILTRATION]: By design, this skill accesses highly sensitive data stored in 1Password vaults, including passwords and private keys. It contains specific safety instructions to mitigate exposure, such as preferringop run(which masks secrets) over writing secrets to disk and strictly forbidding the pasting of secrets into logs or chat interfaces.\n- [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection through data retrieved from external 1Password vaults.\n - Ingestion points: Secrets and metadata are ingested via
op read,op vault list, andop inject(SKILL.md, references/cli-examples.md).\n - Boundary markers: Absent; there are no specified delimiters to distinguish between vault data and agent instructions.\n
- Capability inventory: The skill can write to the filesystem (
op read --out-file,op inject) and execute commands with secret-populated environments (op run).\n - Sanitization: Absent; the skill does not define methods for sanitizing or validating content retrieved from the vaults before processing.
Audit Metadata