1password
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executes the
opcommand-line tool to perform secret management operations, including reading credentials and managing account sessions. - [COMMAND_EXECUTION]: Utilizes
tmuxto manage TTY sessions, which is required to handle interactive authentication and biometric prompts from the 1Password desktop application. - [CREDENTIALS_UNSAFE]: Specifically designed to interact with highly sensitive credentials such as private keys (
.pem), database passwords, and OTP tokens. It attempts to mitigate risk via instructions forbidding the agent from outputting secrets to logs or chat. - [EXTERNAL_DOWNLOADS]: Recommends the installation of the 1Password CLI through Homebrew (
brew install 1password-cli), which is a well-known and trusted package management service. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes data retrieved from external 1Password vaults. Malicious instructions stored within secret fields could potentially influence the agent's behavior during data ingestion.
- Ingestion points: Secret data is read into the agent's context using
op read,op run, andop injectas described inSKILL.mdandreferences/cli-examples.md. - Boundary markers: There are no explicit delimiters or 'ignore embedded instructions' warnings applied to the data retrieved from the vault.
- Capability inventory: The agent possesses capabilities for shell command execution, terminal session management via
tmux, and software installation viabrew. - Sanitization: No sanitization or validation of the content retrieved from 1Password is performed before the agent processes it.
Audit Metadata