1password
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the '1password-cli' package using the Homebrew package manager (brew), which is a well-known service.
- [COMMAND_EXECUTION]: The skill executes various shell commands through the 1Password CLI ('op') and manages complex terminal interactions using 'tmux'. It dynamically sends keys to a tmux session, which includes executing authentication and data retrieval commands.
- [DATA_EXFILTRATION]: The skill uses 'tmux capture-pane' to read the terminal's history into the agent's context. This is the primary mechanism for retrieving secrets from 1Password. While the skill instructs the agent not to paste secrets into logs, the capture of sensitive data like SSH keys and passwords directly into the LLM context constitutes a data exposure risk.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data from an external source.
- Ingestion points: Secret content retrieved from 1Password items via 'op read', 'op inject', or 'tmux capture-pane' (file: SKILL.md, references/cli-examples.md).
- Boundary markers: Absent; the skill does not define specific delimiters or instructions to ignore commands embedded within the retrieved secrets.
- Capability inventory: The agent can execute arbitrary shell commands via tmux and the 'op run' command (file: SKILL.md).
- Sanitization: No sanitization or validation of the secret content is performed before it is handled by the agent.
Audit Metadata