← 返回 Skills 市场
in-liberty420

1Password Service Account

作者 in-liberty420 · GitHub ↗ · v1.0.2
cross-platform ✓ 安全检测通过
593
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install 1password-sa
功能描述
Securely inject secrets from 1Password into agent workflows. Uses service accounts with op run/.env.tpl as the primary pattern, op read as fallback. Includes...
使用说明 (SKILL.md)

1Password CLI (Hardened)

Secure secret access via 1Password CLI (op) for OpenClaw agents. Service accounts are the canonical approach.

References

  • references/get-started.md — install + baseline setup
  • references/cli-examples.md — safe command patterns
  • references/troubleshooting.md — failure/recovery runbook

Security Rules (must follow)

  1. Prefer op run over all alternatives for secret injection.
  2. Never enable shell tracing around secret commands (set -x, bash -x).
  3. Never print secrets to stdout/logs (echo, cat on secret values/files). printf piped directly to stdin of another command (e.g., printf ... | curl -H @-) is acceptable when the output never reaches a log or terminal.
  4. Never dump environment inside/after secret-bearing runs (env, printenv, set).
  5. Never pass secrets as CLI args (arguments can appear in process lists).
  6. Never pipe secret output to logs/files (tee, >, >>) unless explicitly writing a protected temporary file for op inject.
  7. Never pipe op read output into logging pipelines.
  8. Use op inject only with locked-down temp files: umask 077, chmod 600, trap cleanup.
  9. Never include secret values in chat, tool output, or agent responses. If a command outputs a secret, do not echo or reference its value.

Banned Flags/Patterns

  • --no-masking — never use in agent workflows. Masking redacts accidental secret output and must stay on.
  • --reveal — never use in routine workflows. Outputs field values in cleartext.
  • op signin --raw — outputs raw session token to stdout.
  • Bare op read — never run without capturing into a variable. It prints secrets to stdout.
  • set -x — never enable around any op command.
  • curl -v — verbose mode logs auth headers. Use curl -sSf instead.
  • script / terminal recorders — session recording captures all secret output.

Untrusted Input

  • Never interpolate user-provided or external text into shell commands without strict quoting.
  • Always use -- to separate op flags from command arguments.
  • Vault/item/field names from untrusted sources must be validated (alphanumeric, hyphens, underscores, and spaces only).
  • Never use eval, backtick substitution, or string-built shell commands with secret references.
  • If an item name looks suspicious (contains $, backticks, semicolons, or pipes), stop and verify with the user.

Safe dynamic input template:

VAULT="my-vault"
ITEM="my-item"

# Validate: reject names with dangerous characters
for NAME in "$VAULT" "$ITEM"; do
  if ! LC_ALL=C [[ "$NAME" =~ ^[a-zA-Z0-9\ _-]+$ ]]; then
    echo "ERROR: invalid vault/item name: $NAME" >&2; exit 1
  fi
done

VALUE="$(op read "op://${VAULT}/${ITEM}/password")"
# use $VALUE, then:
unset VALUE

Always double-quote variable expansions. Never build op:// references from untrusted input without validation. Reject names containing /, $, backticks, semicolons, pipes, or other shell metacharacters.

.env.tpl Security

  • Treat as code: verify ownership, review changes, restrict permissions (chmod 600).
  • Do not accept .env.tpl files from untrusted sources.
  • Do not commit to public repos — references reveal vault/item structure.
  • Add to .gitignore if in a repo.
  • After creating/editing: chmod 600 .env.tpl
  • Only define expected variable names — reject templates containing dangerous env vars (PATH, LD_PRELOAD, BASH_ENV, NODE_OPTIONS, etc.).

Service Account Workflow (Primary)

Service accounts are the default for agents. No interactive auth needed.

1) Load and scope token

Load the token from your platform's secure store:

# macOS Keychain:
#   security find-generic-password -a \x3Caccount> -s OP_SERVICE_ACCOUNT_TOKEN -w
# Linux (GNOME Keyring / libsecret):
#   secret-tool lookup service OP_SERVICE_ACCOUNT_TOKEN
# Last resort (interactive prompt, not automatable):
#   read -rs OP_SERVICE_ACCOUNT_TOKEN

OP_SERVICE_ACCOUNT_TOKEN="$(__REPLACE_WITH_SECURE_STORE_COMMAND__)"
[ -z "$OP_SERVICE_ACCOUNT_TOKEN" ] && { echo "ERROR: token retrieval failed" >&2; exit 1; }

Preferred: single-command scope (token never persists in shell env):

OP_SERVICE_ACCOUNT_TOKEN="$OP_SERVICE_ACCOUNT_TOKEN" \
  op run --env-file=.env.tpl -- \x3Ccommand>
unset OP_SERVICE_ACCOUNT_TOKEN

If multiple commands needed: export briefly with trap cleanup:

export OP_SERVICE_ACCOUNT_TOKEN
trap 'unset OP_SERVICE_ACCOUNT_TOKEN' EXIT
op run --env-file=.env.tpl -- \x3Ccommand-1>
op run --env-file=.env.tpl -- \x3Ccommand-2>
unset OP_SERVICE_ACCOUNT_TOKEN

2) Use .env.tpl + op run (preferred)

Create .env.tpl with 1Password references (not raw secrets):

API_KEY=op://my-vault/my-item/api-key
DB_PASSWORD=op://my-vault/my-item/password

Run:

op run --env-file=.env.tpl -- \x3Ccommand>

Masking is on by default and must stay on. Note: masking is defense-in-depth, not primary protection — transformed or partial secrets may evade redaction. The primary defense is never outputting secrets.

3) One-off fallback: op read

Use only when op run doesn't fit. Use a subshell for automatic cleanup:

(
  trap 'unset VALUE' EXIT
  VALUE="$(op read 'op://my-vault/my-item/field')"
  # use $VALUE here — auto-cleaned on exit
)

For API calls, prefer op run with a wrapper script to avoid sh -c:

# api-call.sh (chmod +x)
#!/usr/bin/env bash
set -euo pipefail
printf "Authorization: Bearer %s\
" "$API_TOKEN" | curl -sSf -H @- https://api.example.com/resource

op run --env-file=.env.tpl -- ./api-call.sh

4) Diagnostics

All diagnostic output contains metadata (account emails, vault names, item IDs, URLs) that should be treated as sensitive in logged/recorded agent sessions.

op whoami
op vault list --format json

5) Service account lifecycle

  • Scope is policy-driven: read-only vs read-write depends on configuration and vault permissions.
  • If access fails: verify vault grants and item permissions.
  • If token expired/revoked: regenerate in 1Password admin, update secure store, retry.
  • Limitation: service accounts may not support item creation depending on org policy.

op inject (restricted use)

Use only when a file must be materialized temporarily:

set -euo pipefail
set +x
umask 077

TMP_FILE="$(mktemp)"
cleanup() { rm -f "$TMP_FILE"; }
trap cleanup EXIT ERR INT TERM HUP QUIT

op inject -i config.tpl -o "$TMP_FILE"
chmod 600 "$TMP_FILE"

# use "$TMP_FILE" briefly, then auto-cleanup via trap

Never persist injected secret files beyond immediate use.

安全使用建议
This skill appears coherent and focused on safe 1Password CLI usage, but check two things before installing: (1) confirm whether your agent registry metadata or the SKILL.md is authoritative for required env vars — SKILL.md expects OP_SERVICE_ACCOUNT_TOKEN, so ensure you can provide that token from a secure store and replace the __REPLACE_WITH_SECURE_STORE_COMMAND__ placeholder with a legitimate retrieval command; (2) ensure the service account used has least privilege in 1Password (only the vaults/items needed), do not store .env.tpl in public repos, follow the SKILL.md rules (no --no-masking, no set -x, umask/chmod/trap for temp files), and verify you trust installing the Homebrew 1password-cli package on your platform.
功能分析
Type: OpenClaw Skill Name: 1password-sa Version: 1.0.2 This skill bundle is designed with a strong emphasis on security and best practices for handling secrets. The `SKILL.md` file, which serves as instructions for the AI agent, explicitly details numerous security rules, banned patterns (e.g., `set -x`, `--no-masking`, `eval` with untrusted input), and safe coding practices (e.g., input validation, `umask 077`, `trap` for cleanup, secure `curl` patterns). All included files consistently reinforce these security principles, aiming to prevent secret leakage and misuse rather than cause it. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts designed to harm the agent or system.
能力评估
Purpose & Capability
Name/description match what the skill does: it wraps the 1Password CLI ('op') for secret injection into agent workflows. Requiring the 'op' binary and offering a Homebrew install for 1password-cli is proportionate. One inconsistency: the registry metadata lists no required env vars, but the SKILL.md metadata and runtime instructions clearly expect an OP_SERVICE_ACCOUNT_TOKEN.
Instruction Scope
SKILL.md stays on-topic: it documents using 'op run' and 'op read' safely, forbids printing secrets, warns about masking, and includes validation patterns for untrusted input. All example commands and troubleshooting steps are consistent with the stated purpose and do not instruct reading unrelated system files or exfiltrating secrets to unexpected endpoints.
Install Mechanism
Install spec uses the Homebrew formula '1password-cli' and creates the 'op' binary — a standard, low-risk mechanism from a known package ecosystem. No downloads from arbitrary URLs or archive extraction are present.
Credentials
The runtime docs require an OP_SERVICE_ACCOUNT_TOKEN (and provide patterns for retrieving it from platform secure stores), which is appropriate for a 1Password service-account workflow. However, the registry 'Required env vars' field is empty while SKILL.md.metadata lists OP_SERVICE_ACCOUNT_TOKEN, creating a metadata mismatch the user should confirm before installing.
Persistence & Privilege
The skill does not request 'always: true' and does not attempt to modify other skills or system-wide agent settings. Default autonomous invocation is allowed (platform default) but not elevated here; no unexpected persistent privileges are requested.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install 1password-sa
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /1password-sa 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Declare OP_SERVICE_ACCOUNT_TOKEN in metadata env block
v1.0.1
Fix copy-paste hazard: placeholder now fails loudly. Mark interactive fallback as last resort.
v1.0.0
Hardened fork: service-account-only, 6 rounds of security audit, fail-closed auth, input validation, banned patterns, no interactive auth
元数据
Slug 1password-sa
版本 1.0.2
许可证
累计安装 0
当前安装数 0
历史版本数 3
常见问题

1Password Service Account 是什么?

Securely inject secrets from 1Password into agent workflows. Uses service accounts with op run/.env.tpl as the primary pattern, op read as fallback. Includes... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 593 次。

如何安装 1Password Service Account?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install 1password-sa」即可一键安装,无需额外配置。

1Password Service Account 是免费的吗?

是的,1Password Service Account 完全免费(开源免费),可自由下载、安装和使用。

1Password Service Account 支持哪些平台?

1Password Service Account 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 1Password Service Account?

由 in-liberty420(@in-liberty420)开发并维护,当前版本 v1.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论