1password
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION] (HIGH): The skill provides explicit examples of writing sensitive credentials to the local file system (e.g.,
op read --out-file ./key.pem). This increases the risk of local data exposure and subsequent exfiltration by other malicious processes. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: The skill accepts arbitrary vault paths and secret references from the user or previous agent steps in
cli-examples.mdandSKILL.md. - Boundary markers: None. There are no delimiters or instructions to ignore embedded instructions in the data being read.
- Capability inventory: The skill can read any secret the authenticated user has access to, write them to files, or inject them into the environment of other processes.
- Sanitization: No sanitization or validation of the requested secret paths is performed.
- [COMMAND_EXECUTION] (MEDIUM): The skill uses
tmuxto manage authentication state and session persistence. It usestmux send-keysto execute commands, which can be a brittle and dangerous way to handle sensitive inputs if not properly escaped. - [EXTERNAL_DOWNLOADS] (LOW): The skill installs the
1password-cliusing Homebrew (brew install). While Homebrew is a standard package manager, the installation of external binaries always carries a baseline risk.
Recommendations
- AI detected serious security threats
Audit Metadata