ClawHub

SHIFT

Security checks across malware telemetry and agentic risk

Overview

SHIFT appears purpose-built for multi-model delegation, but it should be reviewed because it can automatically share conversation history, file contents, and memory excerpts with configured model providers while hiding delegation by default and misstating network permissions in metadata.

Install only if you are comfortable with delegated model calls receiving recent chat history, selected workspace file content, and MEMORY.md excerpts. Before enabling, switch to transparent mode, reduce contextBridge.historyTurns, review configured model providers and billing, avoid sensitive files, and treat ~/.openclaw/workspace/.shift/sessions as sensitive local data. The setup script appears local-only, but run it knowingly rather than allowing automatic execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill directs the agent to execute a shell script from the workspace if a config file is missing, while simultaneously asserting that the script is safe. Because workspace content is potentially untrusted and mutable, this creates a trust-on-first-use remote code execution path through `bash ~/.openclaw/workspace/skills/shift/scripts/setup.sh`. The explicit safety claim makes the instruction more dangerous by encouraging operators to lower scrutiny.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The manifest gives contradictory security-relevant claims: installation notes say 'No network calls,' while the access section explicitly states the skill sends data to model-provider APIs. This can mislead users into approving installation or using the skill with sensitive data under a false assumption that nothing leaves the local environment.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The manifest claims the skill does not access internal agent configurations, yet also states it uses model provider credentials from agent config. Even if the skill only uses credentials indirectly through the platform, this inconsistency obscures the true trust boundary and can cause users to misunderstand what configuration data the skill depends on.

Scope Creep

High
Confidence
99% confidence
Finding
The permissions block declares network=false while other sections say the skill makes model-provider API calls and transmits user messages, history, file contents, and memory excerpts. This is a dangerous mismatch because permission metadata may be relied on for enforcement, review, or user consent, leading to underestimation of exfiltration risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger condition is so broad ('any message that might benefit from specialized handling') that the skill can activate on ordinary conversation and unnecessarily delegate user prompts, conversation history, active files, and memory excerpts to external model providers. In this skill's context, over-triggering materially increases data exposure and cost because delegation includes transmission of workspace content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The spec explicitly directs the master to package user messages, recent conversation history, project files, decisions, and memory into shared files and attachments for sub-agents, but does not require clear user consent, minimization, or disclosure. This can expose sensitive data to additional models/providers beyond what the user reasonably expects, especially when delegation is invisible by default.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The design instructs the system to hide delegation and present sub-agent output as though it originated from the master identity. This undermines transparency and informed consent, and can mislead users about which model handled their data, what provider received it, and how conclusions were generated.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The cost-management section discusses budget enforcement and unexpected bills, but it does not clearly warn users that normal operation may automatically trigger additional paid model calls. In a multi-model delegated system, silent automatic spend is a trust and billing risk, particularly if different providers or premium models are involved.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The codex persona uses broad technical keywords such as "code," "fix," "api," and language names that commonly appear in ordinary requests. In a delegation system, this can cause unintended routing of prompts to a coding sub-identity, which may expand capability exposure, alter behavior unexpectedly, or send unnecessary context to another model.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The researcher persona is triggered by generic phrases like "explain," "review," "evaluate," and "what is," which are common in normal conversation. In this skill context, overbroad routing increases the chance of accidental delegation, unnecessary context sharing, and inconsistent handling of user requests by a different model than intended.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The runner persona includes vague terms such as "quick," "just," "check," and "find," which are frequent in everyday prompts and therefore weak indicators of true intent. Even with requireExplicit enabled, these terms can still produce accidental invocation and route user input plus history to a fast-path model that may be less appropriate for the task.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The bridge explicitly persists recent conversation history, active file content, and project memory into session files that are then consumed by sub-identities. That creates a privacy and data-exposure risk because potentially sensitive user inputs, secrets in active files, or proprietary context are copied to disk and shared across agent boundaries without any described minimization, redaction, consent, retention safeguards, or access controls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The delegator explicitly packages the exact user message, conversation history, active files, and workspace-derived context for spawned sub-agents, but the design shown provides no consent, minimization, or user-facing disclosure before that sharing occurs. This creates a real privacy and data-governance risk because sensitive prompts, secrets in files, or unrelated prior conversation content may be propagated to additional model executions without necessity or user awareness.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow creates persistent session directories under ~/.shift/sessions and writes inbound context containing user messages and history to disk, yet no retention, encryption, permission hardening, or user warning is described. Persisting sensitive data locally increases exposure to other local users, malware, backups, and accidental disclosure beyond the immediate task runtime.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The routing keyword list is broad enough to match many generic technical or adjacent requests, which can cause this persona to be selected when a more appropriate specialist or the master should handle the task. In this skill, that matters because Codex is configured to respond directly and efficiently on coding tasks, so misrouting can reduce safeguards, produce overconfident code-centric output, or bypass better contextual handling for mixed-domain requests.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The routing keywords are broad natural-language phrases such as 'what is', 'how does', 'review', and 'summary of', which are likely to match many ordinary prompts beyond narrowly scoped research tasks. This can cause unintended persona activation and misrouting, especially in multi-skill systems where broad interception may override more appropriate or safer handlers.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The routing keywords include very common phrases such as "just," "check," "find," and "what is the," which can cause the Runner persona to capture prompts that are not actually simple tasks. Because this persona is optimized for speed and brevity and explicitly avoids consultation, misrouting can lead to oversimplified handling of requests that need deeper reasoning, safety checks, or specialist routing.

Ssd 3

Medium
Confidence
94% confidence
Finding
The spec calls for broad collection of user history, memory, project context, and relevant files into shared session artifacts and attachments for sub-identities. Without strict minimization, redaction, retention controls, and provider-boundary awareness, this creates unnecessary data exposure and persistent local sensitive-data sprawl.

Ssd 3

Medium
Confidence
87% confidence
Finding
The Runner persona is told to use user preferences or history for delegated tasks without specifying boundaries for relevance or sensitivity. This encourages over-sharing of personal context to a delegated model, increasing privacy risk and potential leakage of information not needed for the task.

Ssd 3

Medium
Confidence
95% confidence
Finding
The design intentionally propagates user-provided content and broader master-session context to sub-identities through INBOUND.json and CONTEXT.md, creating a built-in natural-language data leakage channel. Because multiple identities can read and further write derived context, sensitive data can spread beyond the original need-to-know scope, increasing the chance of unintended disclosure, prompt injection propagation, or persistence of confidential material.

Ssd 3

Medium
Confidence
94% confidence
Finding
The design forwards the full user message and master conversation history to sub-identities by default rather than applying least-privilege scoping. This unnecessarily broadens the blast radius of any sensitive content and increases the chance of oversharing secrets, personal data, or unrelated context to additional agents and models.

Ssd 3

Medium
Confidence
91% confidence
Finding
The task prompt instructs sub-identities to read attached conversation history and project context before acting, reinforcing automatic broad context exposure to downstream agents. Because attached files may include sensitive workspace content and prior exchanges, this expands access without guardrails on scope, sanitization, or need-to-know boundaries.

Session Persistence

Medium
Category
Rogue Agent
Content
SHIFT does:
- Run entirely within your OpenClaw gateway
- Store delegation metadata locally
- Write session context files to your workspace

## ⚠️ Security Considerations
Confidence
89% confidence
Finding
Write session context files to your workspace ## ⚠️ Security Considerations ### What Gets Transmitted When delegation is enabled, the following are sent to your configured model providers: - Your m

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal