by 安全扫描
OpenClaw
可疑
medium confidenceThe instructions align with a 1Password CLI service-account workflow, but the package metadata omits the critical required binary and environment-variable declarations and the skill would gain powerful secret-management capabilities if given a service account token—review source, token scope, and storage before installing.
评估建议
This skill is coherent with a 1Password CLI workflow but has two practical concerns you should resolve before installing: (1) confirm the skill's source and owner (the package metadata and _meta.json entries don't match and there's no homepage), and (2) never give it an OP_SERVICE_ACCOUNT_TOKEN unless you first restrict that service account to the minimal vault and permissions needed (prefer read-only while testing), avoid storing the token in plaintext .env if possible, and enforce rotation/aud...详细分析 ▾
⚠ 用途与能力
The SKILL.md clearly requires the 1Password CLI (`op`) and an OP_SERVICE_ACCOUNT_TOKEN environment variable, but the registry metadata lists no required binaries or environment variables. That mismatch is incoherent: a 1Password integration should declare the CLI and the primary credential. The declared purpose (manage secrets in a dedicated vault) does justify the token and CLI, but the metadata omission is a red flag.
ℹ 指令范围
The runtime instructions stay within the stated purpose: they show how to authenticate, list vaults, read/create/edit/delete items, and advise using JSON output and not printing tokens. The instructions do ask the agent/operator to place OP_SERVICE_ACCOUNT_TOKEN in .env or export it, which implies modifying environment/configuration. They do not instruct the agent to read unrelated system files or send data to external endpoints beyond the 1Password CLI.
✓ 安装机制
This is an instruction-only skill (no install spec, no code files). That minimizes direct install risk. The SKILL.md tells the user to install the official 1Password CLI via brew or the vendor docs—reasonable and low-risk because no arbitrary downloads are specified by the skill itself.
⚠ 凭证需求
The skill requires a powerful credential (OP_SERVICE_ACCOUNT_TOKEN) capable of reading and modifying vault items, which is consistent with the described functionality but highly sensitive. The metadata does not declare this required environment variable, which is an inconsistency. The instructions recommend storing the token in .env, which can be insecure—token storage, scope (ensure limited to a single vault and least privilege), and rotation policies should be verified before granting it.
ℹ 持久化与权限
always is false and the skill does not request system-wide modifications. However, default autonomous invocation is allowed; combined with a service-account token that permits write/delete actions, this increases risk. There's no indication the skill modifies other skills or global agent config.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/24
Initial release of 1Password CLI integration for agents. - Enables secure access to 1Password vaults using the 1Password CLI and a Service Account token. - Provides clear setup instructions, including prerequisites for CLI tool, service account creation, and environment variable configuration. - Documents commands for authenticating, listing vaults, reading, creating, editing, and deleting secrets. - Includes tips for secure usage, structured output, and troubleshooting common issues.
● 无害
安装命令 点击复制
官方npx clawhub@latest install 1password-cli-bak
镜像加速npx clawhub@latest install 1password-cli-bak --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制