registry  /  @u2giants/1password-mcp  /  2.6.0

@u2giants/1password-mcp@2.6.0

MCP server for 1Password service accounts — tools, prompts, and resources for vault and credential management

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The MCP server exposes `op_run`, an explicitly invoked arbitrary local command runner. It can resolve 1Password secrets into a child environment, making downstream disclosure possible through the chosen command.

Static reason
No blocking static signals were detected.
Trigger
A connected MCP client invokes the `op_run` tool with `command` or `argv` and optional `op://` environment values.
Impact
An authorized or compromised MCP client can run local commands and direct resolved secrets to files, processes, or network destinations.
Mechanism
MCP-controlled child-process execution with 1Password secret injection.
Rationale
The package shows no covert installation-time behavior or hidden payload, but it intentionally grants an MCP client arbitrary local command execution with resolved secrets. This is a real high-risk agent capability rather than evidence of malware.
Evidence
package.jsonbin/1password-mcp.jsdist/index.jsdist/config.jsdist/client.jsdist/secret-ref.jsdist/tools/op-run.js

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/tools/op-run.js` exposes an MCP tool that spawns arbitrary local commands.
  • `op_run` resolves `op://` secrets and injects plaintext into child-process environment variables.
  • `op_run` supports a shell-command mode; its own description notes secrets may reach files, network, child processes, and OS listings.
  • `dist/config.js` can read a configured macOS Keychain token via `security find-generic-password`.
  • No confirmation or command allowlist is enforced before `op_run` launches the requested process.
Evidence against
  • `package.json` contains no preinstall, install, or postinstall lifecycle hook.
  • `bin/1password-mcp.js` only imports `dist/index.js`; startup uses stdio MCP transport.
  • No package source writes agent configs, persistence files, or filesystem payloads.
  • No hidden network client or hard-coded runtime endpoint appears in inspected package code.
  • Secret-reference vaults are checked against `OP_MCP_ALLOWED_VAULTS` before resolution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 93.8 KB of source

Source & flagged code

2 flagged · loading source
dist/tools/op-run.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/tools/op-run.js` exposes an MCP tool that spawns arbitrary local commands.

dist/tools/op-run.jsView on unpkg
dist/config.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/config.js` can read a configured macOS Keychain token via `security find-generic-password`.

dist/config.jsView on unpkg

Findings

6 Medium4 Low
MediumEnvironment Vars
MediumAi Review Evidencedist/tools/op-run.js
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidencedist/config.js
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings