secrets
Pass
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands via the 1Password CLI (
op) to generate (op item create) and retrieve (op item get) sensitive credentials. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) as it processes user-supplied item names and handles the resulting secret data in subsequent steps.
- Ingestion points: Untrusted data enters the agent context through prompts for 1Password item names in
SKILL.md. - Boundary markers: Absent. There are no delimiters or instructions to the agent to treat the retrieved content as untrusted or to ignore embedded instructions.
- Capability inventory: The agent can execute shell commands (
op) and perform "remote API calls," which could be used to exfiltrate secrets if the target is manipulated. - Sanitization: None. The skill does not validate the item names or the retrieved secret content before processing.
- [DATA_EXFILTRATION]: The skill instructs the agent to retrieve secrets and use them in "remote API calls," establishing a data flow from a secure vault to external network endpoints. It also suggests storing sensitive values in the system clipboard or temporary files, which increases the risk of credential exposure to other applications or processes on the system.
Audit Metadata