← Back to Skills Marketplace
Wip 1password Private
by
Parker Todd Brooks
· GitHub ↗
· v0.2.2
· MIT-0
314
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install wip-1password
Description
Headless plugin for 1Password secrets using service accounts, resolving op:// references, reading/writing secrets, and listing vault items via JS SDK.
Usage Guidance
Key things to check before installing or enabling this skill:
- Metadata mismatch: SKILL.md and code expect a 1Password service-account token at ~/.openclaw/secrets/op-sa-token (or via OP_SERVICE_ACCOUNT_TOKEN), but the registry metadata lists no required env/config or primary credential. Treat that as a red flag until resolved. Ask the publisher to update the manifest to explicitly declare tokenPath and any env vars required.
- Inspect the source before use: review src/index.ts and mcp-server.mjs (both present in the package) to confirm they only call the official 1Password SDK or invoke the `op` CLI as documented, and that there are no unexpected network endpoints, logging of secrets, or attempts to write secrets to disk.
- Minimize service-account permissions: create a service account scoped only to the specific custom vaults and use read_items only unless you explicitly need write_items. Prefer read-only tokens for routine use and only allow write_items if you trust the code and need write operations.
- Allowlist tools and limit autonomous access: ensure agent tool allowlisting is restrictive (op_read_secret, op_list_items, op_write_secret should be optional and only granted when necessary). Avoid allowing the skill to run broadly across agents without review.
- Test in isolation: enable the plugin in a test environment or VM first, with a service account limited to a non-production vault. Verify behavior with a dry-run and audit logs.
- Verify package provenance: the SKILL.md references npm package @wipcomputer/wip-1password and a GitHub repo. Confirm the package on npm and its source repository match the files you reviewed and are published by the expected maintainer. If the published package differs from the repo contents, treat it as suspicious.
- Rotation and incident plan: be ready to rotate any tokens you provide for testing. If you later grant this skill access to production vaults, plan and document a token rotation strategy.
If you want, I can list the exact lines in src/index.ts and mcp-server.mjs to review for calls to external endpoints, subprocess usage, or any places secrets are written or logged (I can parse the files and summarize suspicious code patterns).
Capability Analysis
Type: OpenClaw Skill
Name: wip-1password
Version: 0.2.2
The skill bundle provides 1Password integration for AI agents but contains a critical shell injection vulnerability in `mcp-server.mjs`. The `opExec` function uses `execSync` to execute CLI commands with unsanitized input from tool arguments (`vault`, `item`, `field`), allowing for potential arbitrary command execution. While the main plugin logic in `src/index.ts` safely uses the official 1Password SDK, the presence of this vulnerability in the MCP server component is a significant risk. Additionally, the `SKILL.md` and `README.md` files contain prompt-injection-style instructions designed to guide an AI agent through an installation process using a custom `wip-install` command, which is a high-risk pattern despite the inclusion of dry-run and user-consent safeguards.
Capability Assessment
Purpose & Capability
The code and SKILL.md describe a coherent 1Password secrets plugin (resolve op:// refs, read/write secrets, list vault items) which matches the stated purpose. However the registry metadata claims no required env vars/config paths/primary credential, while the runtime instructions and developer docs require a service-account token stored at ~/.openclaw/secrets/op-sa-token (and sometimes reference OP_SERVICE_ACCOUNT_TOKEN). That omission is an inconsistency: a secrets plugin legitimately needs the service account token and a tokenPath config, but the skill metadata does not declare them.
Instruction Scope
The runtime instructions focus on resolving op:// references, providing agent tools (op_read_secret, op_list_items, op_write_secret), and registering a startup resolver — all within the stated scope. The SKILL.md and docs instruct the plugin to read a service-account token from disk and to set process.env.OPENAI_API_KEY at startup; they also give developer examples that shell out to the `op` CLI. Those I/O and subprocess actions are expected for this plugin type, though they are sensitive because they handle secrets.
Install Mechanism
There is no registry-level install spec recorded, yet the SKILL.md includes an openclaw.install section and npm install instructions for @wipcomputer/wip-1password (an ordinary npm package). Installing via npm is reasonable. There are no downloads from arbitrary URLs or obfuscated installers in the files provided.
Credentials
The skill requires access to a 1Password service account token and will read a token file at ~/.openclaw/secrets/op-sa-token (and/or use OP_SERVICE_ACCOUNT_TOKEN when invoking `op`). Those sensitive access details are not declared in the registry metadata (no required env vars/config paths/primary credential). The plugin also sets process.env.OPENAI_API_KEY from a retrieved secret, which is expected for its purpose but increases the blast radius if misconfigured. Ensure the service account has minimal permissions (read-only for configured vaults) and that the token path is acceptable to you.
Persistence & Privilege
always: false and model invocation/autonomous use are default. The plugin registers a startup resolver service (normal for a plugin that mutates runtime config) but does not request permanent platform-wide privileges in the manifest. It does read a user-local token file and modifies process.env for the process — expected behavior for a secrets resolver but should be considered sensitive.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install wip-1password - After installation, invoke the skill by name or use
/wip-1password - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.2
## v0.2.2: AI-Native Homepage, MCP Fix, Plan Requirements
Ran wip-1password through the WIP DevOps toolbox and rebuilt the homepage from the ground up. The README is now an AI-compatible product page. All technical documentation lives in TECHNICAL.md. The MCP server that was crashing since v0.2.0 is fixed. 1Password plan requirements updated after direct conversations with 1Password support.
---
### README rebuilt as a product page
**The problem it solved:** The old README was 400+ lines of technical documentation. Quick Start, Agent Tools API, Config Resolution, CLI Commands, Write Support, Security, Troubleshooting, Developer Guide... all in one file. No human would read it. No agent could parse it efficiently.
**What changed:** The README is now a product page. One description, a "Teach Your AI" prompt block (Karpathy pattern), four human-readable bullets, and links to docs. That's it.
The "Teach Your AI" block is the key feature. You paste it into Claude Code, ChatGPT, or any MCP-compatible agent. The agent reads the SKILL.md, explains what the tools do, dry-runs the install, and waits for your go-ahead before writing anything to disk. The README talks to AI now.
All technical content moved to TECHNICAL.md: Quick Start (6 steps), Agent Tools API (3 tools with parameter tables), Config Secret Resolution (with the `memorySearch.remote` gotcha), CLI Commands, Write Support, Configuration, How It Works, Security, Troubleshooting, and a full Developer Guide with three integration options and patterns for common scenarios.
New description: "Give your AI secure access to 1Password. Never copy-paste an API key into a chat window again."
**What changed:**
- `README.md` ... gutted from 400+ lines to ~75. Product page only. Badges, description, Teach Your AI block, What It Does (4 bullets), Documentation links, License.
- `TECHNICAL.md` ... expanded with all content from README plus new Developer Guide section (3 integration options, common patterns, key rules, example projects table).
---
### MCP server fixed
**The problem it solved:** `mcp-server.mjs` crashed on startup with "Schema is missing a method literal." The MCP server shipped in v0.2.0 but never actually worked. Every Claude Code user who tried to connect op-secrets hit this error.
**Root cause:** `setRequestHandler` was called with raw strings (`"tools/list"`, `"tools/call"`) instead of SDK schema objects. The MCP SDK validates the first argument against its type system and rejects strings.
**The fix:**
```javascript
// Before (broken)
server.setRequestHandler("tools/list", async () => ({...}));
server.setRequestHandler("tools/call", async (request) => ({...}));
// After (working)
import { ListToolsRequestSchema, CallToolRequestSchema } from "@modelcontextprotocol/sdk/types.js";
server.setRequestHandler(ListToolsRequestSchema, async () => ({...}));
server.setRequestHandler(CallToolRequestSchema, async (request) => ({...}));
```
op-secrets MCP server now starts clean and connects to Claude Code.
**What changed:**
- `mcp-server.mjs` ... import `ListToolsRequestSchema` and `CallToolRequestSchema` from `@modelcontextprotocol/sdk/types.js`, replace string handlers with schema objects.
---
### 1Password plan requirements updated
Parker went back and forth with 1Password directly. The original docs said "Teams or Business" for service accounts. That was wrong.
**What we confirmed:**
- Service accounts work on **all plans**: Individual, Family, Teams, Business.
- Headless operation (no desktop app) confirmed on Teams and Business.
- Lower-tier plans may require the desktop app for initial setup.
**What changed:**
- `TECHNICAL.md` ... prerequisites section updated with correct plan requirements.
- `SKILL.md` ... compatibility line updated. Description changed from "OpenClaw plugin" to "AI plugin (Claude Code, OpenClaw)".
---
### Feature priority reordered
Agent tools (read/write secrets) is the #1 value of this tool. It was listed after config resolution. Reordered in both README and TECHNICAL.md:
1. Agent tools (read/write secrets on demand)
2. MCP server for Claude Code
3. Config resolution (`op://` refs at startup)
4. CLI diagnostics
---
### Files Changed
```
README.md | 389 ++----------------------------------------------
SKILL.md | 8 +-
TECHNICAL.md | 116 +++++++++++----
mcp-server.mjs | 5 +-
5 files changed, 121 insertions(+), 412 deletions(-)
```
### Install
```bash
npm install -g @wipcomputer/[email protected]
```
Or update your local clone:
```bash
git pull origin main
```
---
Built by Parker Todd Brooks, Lēsa (OpenClaw, Claude Opus 4.6), Claude Code (Claude Opus 4.6).
Metadata
Frequently Asked Questions
What is Wip 1password Private?
Headless plugin for 1Password secrets using service accounts, resolving op:// references, reading/writing secrets, and listing vault items via JS SDK. It is an AI Agent Skill for Claude Code / OpenClaw, with 314 downloads so far.
How do I install Wip 1password Private?
Run "/install wip-1password" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Wip 1password Private free?
Yes, Wip 1password Private is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Wip 1password Private support?
Wip 1password Private is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Wip 1password Private?
It is built and maintained by Parker Todd Brooks (@parkertoddbrooks); the current version is v0.2.2.
More Skills