Is jarvis-drakon/shieldcortex-skill safe?

ShieldCortex Cloud feature sends stored agent memories, session context, and audit data to shieldcortex.ai. Users activating this optional feature expose their agent's full memory history — including architecture decisions, credentials mentioned in conversation, and flagged threat content — to an external server operated by Drakon-Systems-Ltd. The SKILL.md normalizes this by presenting it as a team collaboration feature.

SKILL.md instructs the agent to globally install shieldcortex from npmjs.com. The package exports 70 named functions and was not installed or audited during this engagement. A malicious or compromised npm package could execute arbitrary code via postinstall scripts, and global installation affects the entire user system rather than a sandboxed directory.

The OpenClaw hook injects 'relevant past memories' into agent context at every session start. This is an architectural design that routes untrusted stored content through the agent's instruction stream. If any source (web content, email, another skill, or a compromised cloud sync) can write to the memory store, it achieves persistent prompt injection that survives session restarts, context compaction, and agent reinstalls.

Running 'shieldcortex openclaw install' installs a persistent system-level hook that activates on every subsequent agent restart. The hook automatically modifies agent context and saves session data without requiring user confirmation at each session. This creates an always-on behavior modification mechanism that outlasts the user's awareness of the initial install decision.

The scan-skills command scans all installed SKILL.md, .cursorrules, and CLAUDE.md files in the agent environment. Combined with cloud sync, this creates a mechanism to exfiltrate all instruction files — including proprietary system prompts, tool configurations, and security policies — to an external server. Even without cloud sync, the local aggregation of all instruction files into a searchable database is a data concentration risk.

ShieldCortex positions itself as a defense layer against the exact attacks it enables. The '6-layer defence pipeline' framing encourages users to trust that stored memories are safe, while the memory injection mechanism is itself the primary attack surface. A sophisticated attacker would target ShieldCortex specifically because compromising it yields persistent cross-session influence. Additionally, the skill scanner claiming to detect threats in other skills could be used to map the agent's full instruction environment.

The documented install path for OpenClaw integration deploys a hook that persists across restarts and modifies agent behavior automatically. While documented behavior, this represents a permanent change to the agent environment that is difficult to fully audit or remove without knowing the hook's implementation details in the unaudited npm package.

Inotifywait and auditd recorded reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. Analysis of timestamps shows first access at 1771906183 (6 seconds before git clone at 1771906189) and second access at 1771906206 (5 seconds after installation completed at 1771906201). No skill-spawned process appears in EXECVE logs accessing these paths. The audit framework's own canary integrity check confirms all files unmodified. These reads are consistent with the audit system's baseline and post-install verification passes.