Is accolver/redshift safe?

https://github.com/openclaw/skills/tree/main/skills/accolver/redshift

90
SAFE

The accolver/redshift skill is a clean documentation-only package (SKILL.md + _meta.json) with no executable code, no prompt injection, no git hooks, and no malicious install-time behavior. Credential file accesses observed in monitoring are attributable to the audit infrastructure's own canary baseline checks, not to the skill. The primary risk is categorical: this skill gives an LLM agent full operational access to a secret management CLI, including commands to dump all secrets in plaintext, inject secrets into subprocesses, and write credential files — inherent capabilities of any secret management tool that require user awareness when delegated to an AI agent.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (10)

MEDIUM Raw secret retrieval commands documented -10

The skill explicitly teaches the agent to use --raw and --plain flags that print decrypted secret values in cleartext to stdout. Any invocation of these commands will place raw credentials directly into the agent's context window and conversation transcript, where they may be logged, cached, or observable by a third party.

MEDIUM redshift run enables secrets-in-subprocess attack -15

The skill teaches the agent to prepend redshift run to arbitrary shell commands, injecting all project secrets as environment variables. If an attacker can influence the command passed to redshift run (e.g., through a malicious script or indirect prompt injection), they gain access to the full secret environment. The skill's own warning acknowledges this risk but relies on agent compliance.

MEDIUM High-risk tool category: full secret namespace exposure -15

A secret management CLI skill gives an LLM agent the ability to enumerate and decrypt all secrets across all projects and environments. A single confused-deputy attack or successful prompt injection could result in complete credential exfiltration through legitimate CLI operations that the agent is explicitly instructed to perform.

LOW REDSHIFT_NSEC private key documented as env var -5

The skill documents REDSHIFT_NSEC as containing the user's Nostr private key, which controls access to all their encrypted secrets. An agent manipulated into logging, echoing, or transmitting environment variables would expose this key, permanently compromising the user's secret namespace.

LOW Secret download command creates persistent plaintext artifacts -5

The skill documents redshift secrets download in multiple formats including plaintext .env files. An agent using this command creates a persistent file containing all decrypted secrets on the local filesystem.

LOW Network-exposed web UI flag documented -5

The skill documents redshift serve --host 0.0.0.0 which would expose a web UI containing all decrypted secrets to the local network or internet. While a warning is included, the syntax is present and a sufficiently confused agent could invoke it.

LOW External URLs in skill metadata -7

The skill description, homepage field, and installHint reference external URLs (redshiftapp.com, github.com/accolver/redshift). These are not fetch targets and are appropriately scoped to installation guidance, but represent minor agent-influence surface.

LOW External binary installation required -3

The skill requires the redshift binary from redshiftapp.com, an external source not distributed via a verified package manager. Users must trust the binary's provenance and supply chain separately from this skill audit.

LOW Expected outbound HTTPS to GitHub during install -5

Installation required a TLS connection to 140.82.121.4:443 (GitHub) to clone the skills monorepo. This is expected and benign behavior for sparse-checkout installation.

INFO Credential files read during monitoring — attributable to audit infrastructure 0

Multiple credential canary files were opened read-only at two audit checkpoints. Timing analysis shows the first batch (audit IDs 263-268) occurs 0.3 seconds after auditctl initialization and 5 seconds before the git clone begins; the second batch (audit IDs 1406-1411) occurs after install completion. Both are consistent with the oathe audit system performing before/after canary integrity verification, not with skill-initiated access. All files confirmed intact.