Is 1Password – Password Manager safe to use?

1Password – Password Manager has a risk level of HIGH with an overall risk score of 7.4/10. Our scan detected 268 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does 1Password – Password Manager request?

1Password – Password Manager requests the following permissions: alarms, contextMenus, downloads, favicon, idle, management, nativeMessaging, notifications, offscreen, privacy, scripting, storage, tabs, webNavigation, webRequest, webRequestAuthProvider, declarativeNetRequestWithHostAccess, bookmarks. It also requests host access to: , https://*/*, http://localhost/*, https://*.1password.ca/*, https://*.1password.com/*, https://*.1password.eu/*, https://*.b5dev.ca/*, https://*.b5dev.com/*, https://*.b5dev.eu/*, https://*.b5local.com/*, https://*.b5staging.com/*, https://*.b5test.ca/*, https://*.b5test.com/*, https://*.b5test.eu/*, https://*.b5rev.com/*, https://app.kolide.com/*, https://app.kolide.ca/*, https://app.kolide.eu/*, https://auth.kolide.com/*, https://auth.kolide.ca/*, https://auth.kolide.eu/*, https://www.director.ai/?*, https://www.director.ai/, https://www.director.ai/complete-1password-pairing?*, https://www.director.ai/complete-1password-pairing, https://autofill.me/*, https://*.1password.com/applauncher*, https://*.1password.ca/applauncher*, https://*.1password.eu/applauncher*, https://*.b5dev.com/applauncher*, https://*.b5dev.ca/applauncher*, https://*.b5dev.eu/applauncher*, https://*.b5test.com/applauncher*, https://*.b5test.ca/applauncher*, https://*.b5test.eu/applauncher*, https://*.b5local.com/applauncher*, https://*.b5staging.com/applauncher*, https://*.b5rev.com/applauncher*.

What is 1Password – Password Manager's risk score?

1Password – Password Manager has an overall risk score of 7.4/10 (HIGH). Breakdown: Permissions 9.5/10, Code 10.0/10, Combinations 10.0/10, CSP 5.8/10.

ExtSafe

1Password – Password ManagerSecurity Analysis

Chromev8.12.8.26MV3March 24, 2026 at 01:03 AM

Potentially unsafe

This extension shows concerning patterns that may indicate risky behavior. Proceed with caution.

7.4HIGH

7.4 HIGHRaw: 9.2

This extension shows significant risk signals. Review the findings below carefully before installing or continuing to use it.

Based on 56 permissions including high-risk ones, 219 code findings, 5 dangerous combinations.

Trust Signals(5.5/10)

Users

6.0M

Rating

4.7(3K reviews)

Developer

AgileBits Inc

Dangerous Combinations(5)

MEDIUMTab tracking API + external communication

Extension uses tab tracking APIs (onUpdated/query) and communicates with external servers — potential browsing surveillance.

tabs+tabs API usage + external network

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALExtension management + dynamic code execution

Extension manages other extensions and executes dynamic code — behavior consistent with malware dropper.

management+eval/Function/dynamic code

CRITICALNative messaging + dynamic code execution

Extension communicates with native apps and executes dynamic code — potential sandbox escape vector.

nativeMessaging+eval/Function/dynamic code

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

9.5/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

5.8/10

Permissions(56 analyzed)

Code Findings(26 patterns, 219 total)

Libraries(1 detected)

1 library detected

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(3 findings)

Resolved from __MSG_* i18n placeholders:

Name: 1Password – Password Manager

Description: The best way to experience 1Password in your browser. Easily sign in to sites, generate passwords, and store secure information.

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

HIGH

content_scriptsAggressive content script injection

Content script runs at document_start in ALL frames on ALL URLs. This gives the extension deep access to every page load, including iframes.

External Domains(77)

${a${e${t*.1password.ca*.1password.com*.1password.eu*.b5dev.ca*.b5dev.com*.b5dev.eu*.b5local.com*.b5staging.com*.b5test.ca*.b5test.com*.b5test.eu1password.com1password.communitya.1passwordentusercontent.coma.1passwordusercontent.caa.1passwordusercontent.coma.1passwordusercontent.euaccounts.${aaccounts.google.comapi.kolide.comapi.pwnedpasswords.comapp.kolide.comapp.trelica.comassets1.kolide.comauth.kolide.combit.lyblog.1password.comc.1password.comcache.agilebits.comcodeberg.orgcreativecommons.orgdeveloper.1password.comdownloads.1password.comfacebook.github.iofb.meforms.glegithub.comgitlab.comgitlab.freedesktop.orggo.apollo.devicons.getbootstrap.comjquery.orgjs.foundationk2.kolide.comlodash.commomentjs.commozilla.orgmths.beop8.agilebits.comopenjsf.orgpapaparse.comprojectfluent.orgradix-ui.comrbuckton.github.ioreact.devreactjs.orgredux-toolkit.js.orgredux.js.orgreleases.1password.comsindresorhus.comstart.1password.comstaticcdn.duckduckgo.comsupport.1password.comthe-guild.devtweetnacl.js.orgunderscorejs.orgunlicense.org&gtwatchtower.1password.comwww.apache.orgwww.apollographql.comwww.example.comwww.kolide.comwww.typescriptlang.orgwww.youtube.com