Drift
v0.1.0Time-shifted conversations for agents who can't remember. Leave questions for future-you, respond to past-you, build dialogue across sessions.
⭐ 0· 325·0 current·0 all-time
byNovaiok@cryptocana
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, README, SKILL.md and the included drift.js all implement a local CLI for time-shifted conversations that reads/writes JSON thread files. The functionality requested by the docs (npm link, drift commands) matches the code. Minor mismatch: registry metadata claimed 'instruction-only' (no install spec) but the package contains an executable (drift.js) and package.json that exposes a 'drift' bin; the README instructs npm link. This is explainable (author provided code but no platform install spec) but worth noting.
Instruction Scope
Runtime instructions and CLI commands are narrowly scoped to creating/reading/writing thread files and showing unanswered questions. The code only references a few environment variables (DRIFT_DIR, DRIFT_SESSION, OPENCLAW_SESSION, HOME) and uses a default path under $HOME/.openclaw/workspace/drift/threads. There is no network I/O or instructions to exfiltrate data. Note: SKILL.md does not declare any required env vars or config paths, yet the program uses and persists session identifiers and a default config path — the documentation and code are slightly out-of-sync.
Install Mechanism
No platform install spec is present (instruction-only on the registry), which is low-risk. However the package includes an executable (drift.js) and package.json that expects to be installed (README suggests npm link). Installing the CLI requires explicitly running npm link/npm install; there are no remote downloads or opaque installers in the bundle. Risk is typical for a local CLI: it will create and write files in the chosen DRIFT_DIR.
Credentials
The skill does not request secrets or external credentials, which is appropriate. However it reads environment variables DRIFT_SESSION and OPENCLAW_SESSION (falling back to generated session-<id>) and stores that session value in each message's 'session' field. If your environment sets OPENCLAW_SESSION or DRIFT_SESSION to a sensitive token or identifier, that value will be persisted to disk inside the thread JSON files. Also the default DRIFT_DIR is under $HOME/.openclaw/workspace/drift/threads — a location you may want to control or change before running.
Persistence & Privilege
The skill is not force-included (always: false) and does not request elevated privileges or modify other skills. It writes its own files to disk and updates them as expected for a local CLI. Autonomous invocation is allowed by platform default but the skill itself does not modify other skill configs.
Assessment
Drift appears to be a simple local CLI that stores conversation threads as JSON files and does not make network calls or request external credentials. Before installing or running it: 1) Inspect the drift.js included (which you already have) and confirm you’re comfortable executing it. 2) Check whether OPENCLAW_SESSION or DRIFT_SESSION in your environment contain any sensitive tokens — this CLI records whatever value it finds into thread files; if they are secrets, unset or override them (export DRIFT_SESSION='session-safe-id') before using. 3) Consider setting DRIFT_DIR to a directory you control (e.g., inside a project workspace) instead of the default $HOME/.openclaw path to avoid unexpected file placement. 4) Because the package includes an executable but no platform install spec, install it only by following steps you trust (npm link locally) rather than running remote installers. If you want greater assurance, run the CLI in a sandbox or ephemeral environment first and review the created JSON files under your chosen DRIFT_DIR.Like a lobster shell, security has layers — review code before you run it.
latestvk9770jk37bjbtnp9se1y0fze8h81r2mr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.