← dkvdm/onepassword-mcp-server
dkvdm/onepassword-mcp-server — agentic threat model
This agent acts as a high-privilege secrets broker, introducing significant risk of credential exfiltration if the upstream LLM is manipulated via prompt injection to request unauthorized vault items.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.90 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server is model-agnostic. However, the primary threat is indirect prompt injection where an external payload forces the foundation model to abuse the 1Password tool to fetch and exfiltrate sensitive credentials.
Not certain from the listing — This agent does not manage a traditional RAG vector store, but it acts as a gateway to highly sensitive structured data (secrets). The primary risk is unauthorized data retrieval from the 1Password vault.
The orchestration framework must safely handle tool-calling parameters. If the agent framework lacks strict input validation, malicious instructions can manipulate the secret-retrieval tool arguments to target arbitrary vault items.
The MCP server relies on local 1Password CLI or Connect API credentials. If the host environment or container running this server is compromised, the underlying 1Password service account tokens can be stolen, leading to full vault exposure.
Not certain from the listing — There is no mention of built-in audit logging or guardrails to detect anomalous secret retrieval patterns, creating a blind spot where credential harvesting could go unnoticed.
Security relies heavily on the external 1Password service account configuration. If the service account is granted excessive read permissions (lack of least-privilege), the agent inherits those broad permissions, violating access control policies.
In a multi-agent ecosystem, other untrusted agents might query this agent to obtain credentials. Without strict caller-identity verification, this agent can be used as a horizontal privilege escalation vector by compromised peer agents.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).