1password
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill enables the agent to execute arbitrary
op(1Password CLI) commands. This grants the agent the ability to read sensitive credentials, create new items, or modify existing ones within the user's vaults. If the agent environment is compromised or the agent is misled, this provides a direct path to the user's most sensitive data. - [PROMPT_INJECTION] (HIGH): (Category 8: Indirect Prompt Injection) The skill lacks any boundary markers or instructions to treat external data as untrusted. An attacker could embed a malicious 1Password secret reference in a file, website, or code comment (e.g., 'Check the config at op://Private/Vault/BankPassword') that the agent might automatically process. If the agent follows this instruction, it could retrieve the secret and inadvertently reveal it in its output or logs.
- Ingestion points: Secret references provided through user prompts or processed external content (files, web pages, PR descriptions).
- Boundary markers: Absent. The skill does not define delimiters or provide warnings to ignore instructions found within retrieved data.
- Capability inventory:
op read,op item create, andop item editsubprocess calls which interact with a secret manager. - Sanitization: Absent. There is no validation to ensure secret references are restricted to specific 'safe' vaults or naming patterns.
- [CREDENTIALS_UNSAFE] (LOW): The skill contains various placeholder credentials (e.g.,
sk-xxxxxxxxxxxx,secret-password). These are documented examples and not real secrets, but they illustrate the high-sensitivity nature of the data this skill is designed to handle.
Recommendations
- AI detected serious security threats
Audit Metadata