← Back to Skills Marketplace
610
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install secure-autofill
Description
1Password-backed credential filling via vault_suggest/vault_fill (plugin tools).
Usage Guidance
Before installing or running this skill:
- Treat OP_SERVICE_ACCOUNT_TOKEN as a sensitive secret. Do not paste it into chat. Prefer creating a least-privileged 1Password service account/token for this use.
- The metadata claims no required env vars but the skill will prompt to write OP_SERVICE_ACCOUNT_TOKEN (and DISPLAY/WAYLAND_DISPLAY) into a skill-local config and optionally into your gateway env (~/.config/openclaw/env). This is a material mismatch — expect the gateway process to gain access to the token if you allow copying.
- The onboarding script can restart your openclaw-gateway systemd user service; only proceed if you understand and trust that service.
- Verify the presence and provenance of the external tools the skill depends on (vault_suggest, vault_fill) and confirm they are allowed in your tool allowlist before enabling them.
- Review the included onboard.sh yourself (it's short and readable) and run it manually in a terminal rather than letting an automated agent perform the onboarding.
- If you decide to proceed, restrict file permissions on any env file that contains the OP token, and consider not copying the token into the gateway env (use skill-local config) unless necessary.
Given the metadata mismatch around required environment access and the sensitive token handling, proceed only after manual review and applying the least-privilege principles.
Capability Analysis
Type: OpenClaw Skill
Name: secure-autofill
Version: 0.1.0
The skill is classified as suspicious due to the extensive system-level capabilities it instructs the OpenClaw agent to perform, which, while necessary for its stated purpose, introduce significant vulnerability risks. The `SKILL.md` instructs the agent to execute `sudo` commands for installing Google Chrome, modify systemd user service files (`~/.config/systemd/user/openclaw-gateway.service.d/override.conf`) to configure environment variables, and restart the `openclaw-gateway` service. Additionally, the `scripts/onboard.sh` script handles sensitive `OP_SERVICE_ACCOUNT_TOKEN` values and modifies configuration files (`config.env`, `~/.config/openclaw/env`). These capabilities, if exploited through agent compromise or prompt injection, could lead to unauthorized command execution or persistence, despite the skill's apparent benign intent for secure credential autofill.
Capability Assessment
Purpose & Capability
Name/description claim 1Password-backed autofill; included files (SKILL.md + onboard.sh) implement exactly that. However registry metadata declares no required env or primary credential while the runtime docs and script clearly expect/handle OP_SERVICE_ACCOUNT_TOKEN and gateway env updates. The missing declaration is an incoherence that affects trust decisions.
Instruction Scope
Instructions ask the operator/agent to write machine-local and gateway env files, optionally copy OP_SERVICE_ACCOUNT_TOKEN into the gateway env, modify tool allowlists, and restart the openclaw-gateway systemd user service. These actions are within the scope needed to enable a plugin that types secrets into the browser, but they involve modifying user config and restarting services and therefore touch sensitive local state.
Install Mechanism
There is no network install/download; the skill is instruction-first and ships a small onboarding script. No remote archives, URLs to execute, or package installs are performed by the skill itself (the SKILL.md suggests manually installing Chrome from Google's apt repo, which is a standard, explicit step).
Credentials
Functionality legitimately needs a 1Password service token (OP_SERVICE_ACCOUNT_TOKEN) and display-related env vars, but the skill metadata lists no required env vars. The onboarding script will propose copying the OP token into a gateway env file and the gateway process would therefore gain access to it; this is sensitive and should be explicitly declared and justified in metadata. Ensure principle of least privilege for any token used.
Persistence & Privilege
The skill does not request always:true and won't install persistent binaries. It does instruct optionally modifying the gateway env and restarting the openclaw-gateway user service so the gateway process can read the token — this grants the gateway process access to the secret and increases blast radius if the gateway is compromised. That behavior is plausible for the stated purpose but worth deliberate consent.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install secure-autofill - After installation, invoke the skill by name or use
/secure-autofill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial public release
Metadata
Frequently Asked Questions
What is Secure Autofill?
1Password-backed credential filling via vault_suggest/vault_fill (plugin tools). It is an AI Agent Skill for Claude Code / OpenClaw, with 610 downloads so far.
How do I install Secure Autofill?
Run "/install secure-autofill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Secure Autofill free?
Yes, Secure Autofill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Secure Autofill support?
Secure Autofill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Secure Autofill?
It is built and maintained by Zhihao (@moodykong); the current version is v0.1.0.
More Skills