op.exe considered harmful?

I’d like to raise a point about the current security model of op.exe, and how it affects protection against supply-chain or similar attacks.

Consider a scenario where an attacker manages to execute malicious code locally, for example, via a compromised Python package. While this is often considered “game over,” in practice we still want to avoid being the easiest target in such situations.

A common behavior of malicious payloads is to harvest local secrets. While 1Password provides some protection against direct file access, an attacker can simply invoke op.exe, which actually centralizes access to clear-text secrets in a very convenient way.

Although op.exe prompts the user for permission, my understanding is that this permission applies broadly (e.g., to the entire account for a period such as 10 minutes). As a user, I can see which application is requesting access, but not which vaults or items are being queried. In practice, the application name (e.g., WindowsTerminal) is not very helpful in determining whether the request is legitimate.

I’d be interested in others’ perspectives on this.

Some potential improvements that seem valuable to me:

• When requesting permission, op.exe should provide more context (e.g., which vaults and items are being accessed).
• Users should be able to grant permissions at a finer granularity: not just account-wide, but limited to specific vaults or even individual items.

Another useful feature would be the ability to mark certain items or vaults as excluded from programmatic access (via op.exe, and possibly browser extensions). Even better, this could be the default behavior, requiring explicit opt-in at the item level.

I understand that such restrictions would be enforced client-side and therefore not fully robust. However, they would still meaningfully increase the effort required for a malicious local process to enumerate and exfiltrate secrets, and thus provide practical security benefits.

Finally, it might be worth considering stronger protections at the vault level—for example, requiring explicit user authentication (master password, or even a separate password) before allowing access to secrets. This could apply not only to op.exe, but also to the interactive 1Password client.