op-session
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to interact with the 1Password CLI (op) for session initialization and secret retrieval operations.\n- [CREDENTIALS_UNSAFE]: The skill initializes and manages 1Password session tokens by storing them in a local file at ~/.op-claude-session. Although the script implements umask 077 to ensure the file is only readable by the owner, the storage of sensitive session tokens in plaintext on the filesystem represents an inherent risk.\n- [PROMPT_INJECTION]: The op-with-session.sh script acts as a wrapper that passes arbitrary arguments to the op command, creating a surface for indirect prompt injection where a malicious input could lead the agent to execute unintended 1Password actions.\n
- Ingestion points: Command-line arguments passed to scripts/op-with-session.sh by the agent.\n
- Boundary markers: None present in the wrapper script or instructions.\n
- Capability inventory: Full access to 1Password CLI commands within the scope of the authenticated session.\n
- Sanitization: No validation or escaping is performed on the arguments before they are passed to the op command.
Audit Metadata