Chapter 05
Policy Scope Redefinition: when agent policy quietly stops applying
Policy scope redefinition is the attack family where mandatory controls get reframed as optional guidance, appendix material, or lower-priority context so the workflow remains nominally compliant while its real authority expands.
What it is
This family is about interpretation abuse. The system is not always told to ignore policy directly. Instead, it is nudged into believing policy no longer applies in the current branch, urgency tier, appendix, MCP context, or exception path. That makes this one of the quietest ways to widen authority without triggering obvious alarms.
Why it matters for agents
Agents are unusually vulnerable to this family because they constantly reconcile instructions from different layers: system prompts, runbooks, tickets, tool metadata, docs, approvals, and user goals. If one layer successfully reframes another as advisory, stale, or context-limited, the agent can remain "allowed" while no longer being safe.
How it shows up in workflows
Typical shapes include appendix precedence overrides, runbook language that demotes guardrails, runtime reclassification of high-risk actions into normal operations, and scope creep that looks temporary but persists. This is also where many MCP and tool-handoff failures become more dangerous: the tool itself may be authorized, but the workflow's interpretation of what is still in-bounds quietly expands.
What Sunglasses sees
Attackers often win by reframing policy, not by defeating it head-on.
Categories in this chapter:
policy_scope_redefinition, authorization_bypass, auth_bypass, privilege_escalation, approval_graph_poisoning
No patterns match the current filters.
All 47 patterns in this chapter
Every Sunglasses detection pattern mapped to this attack family.
GLS-PE-001
Admin/debug mode activation
HIGH
Attempt to escalate agent privileges via fake mode activation.
enter admin modeactivate admin modeenable admin accessyou are now in debug modedebug mode activatedenter root modesudo mode enabled
GLS-PE-002
Approval bypass
HIGH
Attempt to bypass approval or safety checks.
bypass approval checksskip verificationbypass safety checksskip authenticationbypass all restrictionsoverride safety
GLS-TD-002
Agent config manipulation
CRITICAL
LLM agent silently disabling execution approval or safety checks via config modification.
config.patchconfig.set(disable exec approvaldisable safety checkskip approval
GLS-AB-001
Authentication bypass via token truncation
CRITICAL
Authentication tokens truncated or partially compared, allowing collision attacks where different users can share cache entries or bypass auth. Based on LiteLLM CVE-2026-35030.
token[:20]token truncationpartial token matchcache key collisionshortened auth tokentoken prefix onlyhash_token[:10]api_key[:16]+4 more
GLS-AB-006
JWT algorithm none bypass
CRITICAL
Detects JWT algorithm confusion attacks where alg=none allows unsigned tokens to bypass validation (CVE-2026-39413).
alg nonealgorithm noneunsigned tokenalgorithm confusion
GLS-AB-002
Credential hash exposure via API
HIGH
Detects credential hash exposure in API responses or config — enables pass-the-hash attacks.
password_hashhashed_passwordpassword_digest
GLS-AUZ-GHSA-007
Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`
MEDIUM
Detection for GHSA-4f8g-77mw-3rxc: OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`. Source: https://github.com/advisories/GHSA-4f8g-77mw-3rxc
HTTPopenclawoperator.readoperator.write
GLS-AUZ-GHSA-009
`node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval
MEDIUM
Detection for GHSA-67mf-f936-ppxf: OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval. Source: https://github.com/advisories/GHSA-67mf-f936-ppxf
node.pair.approveopenclawoperator.pairingoperator.writepairing
GLS-AUZ-GHSA-010
Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix)
MEDIUM
Detection for GHSA-5fc7-f62m-8983: OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix). Source: https://github.com/advisories/GHSA-5fc7-f62m-8983
GHSAbypassopenclaw
GLS-AUZ-GHSA-012
Existing WS sessions survive shared gateway token rotation
HIGH
Detection for GHSA-5h3f-885m-v22w: OpenClaw: Existing WS sessions survive shared gateway token rotation. Source: https://github.com/advisories/GHSA-5h3f-885m-v22w
openclaw
GLS-AUZ-GHSA-013
Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths
HIGH
Detection for GHSA-25wv-8phj-8p7r: OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths. Source: https://github.com/advisories/GHSA-25wv-8phj-8p7r
bypassopenclaw
GLS-AUZ-GHSA-014
Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement
MEDIUM
Detection for GHSA-5wj5-87vq-39xm: OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement. Source: https://github.com/advisories/GHSA-5wj5-87vq-39xm
bypassescalationopenclawoperator.adminpairing
GLS-AUZ-GHSA-016
resolvedAuth closure becomes stale after config reload
MEDIUM
Detection for GHSA-68x5-xx89-w9mm: OpenClaw: resolvedAuth closure becomes stale after config reload. Source: https://github.com/advisories/GHSA-68x5-xx89-w9mm
openclaw
GLS-AUZ-GHSA-017
`node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
MEDIUM
Detection for GHSA-cmfr-9m2r-xwhq: OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard. Source: https://github.com/advisories/GHSA-cmfr-9m2r-xwhq
browser.proxybrowser.requestbypassnode.invokeopenclaw
GLS-AUZ-GHSA-018
`device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing
HIGH
Detection for GHSA-whf9-3hcx-gq54: OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing. Source: https://github.com/advisories/GHSA-whf9-3hcx-gq54
bypassdevice.token.rotateopenclawpairing
GLS-AUZ-GHSA-020
strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts
MEDIUM
Detection for GHSA-q2gc-xjqw-qp89: OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts. Source: https://github.com/advisories/GHSA-q2gc-xjqw-qp89
bypassevalexecopenclawstrictinlineeval
GLS-AUZ-GHSA-022
Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel
MEDIUM
Detection for GHSA-jf56-mccx-5f3f: OpenClaw: Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel. Source: https://github.com/advisories/GHSA-jf56-mccx-5f3f
openclawwake
GLS-AUZ-GHSA-030
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header
HIGH
Detection for GHSA-5mwj-v5jw-5c97: LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header. Source: https://github.com/advisories/GHSA-5mwj-v5jw-5c97
bypassforgeableunauthenticatedwebapi
GLS-PE-003
Consent/approval laundering claim
HIGH
Detects consent/approval laundering — text that claims approval, consent, or sign-off already exists rather than asking to bypass it. Narrower than GLS-SE-004.
GLS-PE-004
Excessive default session/token lifetime
MEDIUM
Month-scale default session/token lifetimes (44640 minutes, 31 days) in agent/admin auth config — excessive credential lifetime primitive.
GLS-PE-005
Hardcoded approval_mode='auto' bypassing admin policy
HIGH
Detection for GHSA-qwgj-rrpj-75xm: PraisonAI Chainlit UI hardcodes auto-approval for shell commands, bypassing admin policy. Source: https://github.com/advisories/GHSA-qwgj-rrpj-75xm
GLS-AB-003
Forgeable trust-header auth bypass (X-*-Auth)
CRITICAL
Forgeable trust-header auth bypass — routes that honor X-*-Auth headers without validating origin, enabling unauthenticated access (GHSA-5mwj-v5jw-5c97, LobeHub variant).
GLS-AB-004
Login route accepts raw SHA-256 hex (pass-the-hash)
MEDIUM
Login routes that accept raw hash-shaped material (SHA-256 length hex) as credentials — pass-the-hash primitive.
GLS-AB-005
Unsalted SHA-256 used for password hashing
MEDIUM
Unsalted SHA-256 used for password hashing in control-plane auth code — weak hashing primitive.
GLS-PSR-001
Governance Appendix Precedence Override
HIGH
Document-structure precedence abuse — attacker claims an appendix, annex, addendum, footnote, sidebar, or metadata note has precedence over the main policy/governance ruleset and uses that to ignore, bypass, waive, or disable guardrails, safety, review, approval, or compliance checks. Novel scope-redefinition vector.
appendix takes precedence ignore guardrailsaddendum new ruleset waive safety checksmetadata note supersedes main policyannex authoritative replace control matrixfootnote governing ruleset ignore safetysidebar addendum override governance controlsappendix supersedes policy waive guardrailmetadata note higher-priority governance discard approval+2 more
GLS-PSR-579
Policy Reclassified As Advisory Guardrail Demotion
HIGH
Detects attempts to demote policy/guardrail scope from mandatory controls to advisory/optional guidance in order to justify unsafe execution.
reclassify safety policy advisory and continue withtreat guardrails optional for this run anddeclare compliance rules non-binding the agent candowngrade policy controls informational guidance before actionconsider safety rules best-effort only and bypasspolicy optional this emergency workflow continue nowmark the guardrails lower-priority and follow userreinterpret compliance rule advisory allow the command
GLS-PSR-002
Policy Scope Reinterpretation Priority Override
HIGH
Detects an attempt to redefine, reinterpret, or reclassify a policy or guardrail as deprecated or superseded so that a new scope or priority takes precedence and bypasses it.
GLS-PSR-003
Forged Clause Appendix Precedence Execution Override
HIGH
Detects text claiming a forged or counterfeit policy clause, appendix, or addendum takes precedence and is used to override, supersede, or rebind execution scope in order to bypass or skip safety restrictions.
GLS-AGP-653
Forged Approval Quorum Auto-Approve Override
HIGH
Detects a forged approval quorum, sign-off, or vote snapshot used to auto-approve or bypass recalculation of the approval graph.
GLS-AGP-001
Forged Approval Graph Delegate Vote Policy Bypass
HIGH
Detects a forged approval graph, quorum snapshot, or delegate ballot used to auto-approve or skip guardrail trust-gate policy.
GLS-PSR-580
Post-Approval Tool Hint Policy Override
HIGH
Lower-trust content (tool output, retrieval, retry wrappers) is merged after policy text and silently overrides protected fields so executed tool arguments drift outside approved scope while summaries still appear compliant.
policy-last merge bugretry wrapper overridepost-approval mutationtool hint overrides policycross-tool precedence bleedsummarize-then-execute inversionlow-trust channel overrides guardrailscope silently widened+4 more
GLS-PSR-581
Temporary Exception Scope Expansion Persistence
HIGH
Attackers reframe time-bounded or narrowly scoped policy exceptions into persistent or broader authority through alias expansion, delegation inheritance, or fabricated rollback dependencies, granting durable elevated access from a temporary unblock.
allow once persistence grafttemporary exception broadenedexception scope inflationalias-based scope expansiondelegated child inherits exceptionexception ttl revivalrollback blocker pretextwhile this issue persists+4 more
GLS-PSR-582
Unicode Homoglyph Scope Marker Bypass
HIGH
Attackers hide control directives in Unicode confusables, zero-width marks, or emoji bullets so the rendered text looks benign to operators while normalization or tokenization expands the payload into policy-changing instructions at execution time.
homoglyph verb swapcyrillic confusable allow denyemoji scope markerhidden precedence emojizero-width control directivebidi mark policy bypassnfc nfkc normalization splitrendered plaintext mismatch+4 more
GLS-PSR-583
Newer Timestamp Directive Canonical Precedence Override
HIGH
Attackers poison precedence rules across multiple mission artifacts by spoofing newer timestamps, injecting partial-order ambiguity, or redirecting reply paths so the agent executes lower-trust or stale directives while appearing compliant.
newest-file authority spoofhigher mtime mission overridepartial-order ambiguityfollow latest mission firstcross-file constraint shadowingreply-target redirectionnon-canonical output pathmission file precedence hijack+4 more
GLS-PSR-584
Late-Layer Duplicate Key Policy Override
HIGH
Attackers exploit overlay-merge ambiguity in layered policy bundles so a later, weaker stanza silently overrides stronger rules through namespace collisions, forged priority tags, or environment-flag pivots, shifting effective policy without audit trace.
late-layer exception smugglelast-write-wins policy weakenednamespace collision overrideduplicate key approval requiredpriority tag spoofingunverified priority elevatedenvironment flag flipstaging debug branch policy off+4 more
GLS-PSR-585
Compliance Status Launder Raw Action Evidence
HIGH
Adversarial content persuades the pipeline to report controls as active while the enforcement path is bypassed, using laundered healthchecks, rewritten compliance summaries, or spoofed freshness metadata so operators trust green dashboards during live attacks.
healthcheck pass launderingguardrail shadow branchpolicy applied but unsafe fallbackcompliance summary overwritepost-processor rewrites summarystaleness badge suppressionfreshness metadata mutatedgreen dashboard while bypass+4 more
GLS-PSR-586
Fabricated Priority Escalation Silent Mode Coercion
HIGH
Attackers inject fake operational-urgency framing or list-truncation directives to make schedulers reorder priority lanes, skip end-of-cycle verification steps, or force false silent-mode completion, silently shifting effort away from high-impact missions.
urgency spoof overridefake p0 emergency tagfabricated authority chainpriority list truncationignore everything after itemcross-file precedence confusionolder mission supersedes newestsilent mode coercion+4 more
GLS-PSR-587
Pre-Verification Execution Dependency Edge Removal
HIGH
Attacker text manipulates the planner's goal-tree ordering so safety and verification nodes are demoted or aliased to a completed state, allowing high-risk execution nodes to run before approval checks pass.
pretext urgency re-rankingverify equals already verifiedgoal alias collisiondependency edge deletionguardrail goals as optionalmetric chasing coercionexecute before verifyplan dag tamper+4 more
GLS-PSR-588
Precedence Ladder Inversion Lower Trust Override
HIGH
Attackers inject conflicting directives at lower-trust layers of the precedence ladder (templates, fallback schemas, runtime notes) so they silently override canonical mission constraints, causing duplicate outputs, metric laundering, or suppressed pivots.
template over mission inversionfreshness over authority inversionfallback over primary inversionstatus note override loopnon-canonical layer outranks canonicalmetric laundering via fallback keyduplicate output suppression bypassprecedence ladder collision+4 more
GLS-PSR-589
False Priority Framing Freshness Gate Replay
HIGH
Attack content coerces a one-task-per-cycle scheduler into priority inversion by framing repeated low-value checks as urgent blockers or by mimicking canonical-board authority, causing the agent to burn cycles re-auditing already-green missions instead of advancing real work.
false p0 escalation framingregenerate freshness gate every cyclepseudo-authority board overridedecisions style snippet injectionone-task rule weaponizationforced template repetitioncollision laundering reopen donepriority stack hijack+4 more
GLS-PSR-590
Policy Constraint Softened To Advisory Hint
HIGH
Across summary, planner, executor, and formatter stages attackers keep payloads intact while rephrasing hard MUST/NEVER constraints as soft guidance, eroding safety ordering so downstream tools optimize delivery speed over required security gates.
planner softening attacktreat policy as guidance if urgentsummarizer drops must clausesmust downgraded to shouldformatter precedence inversionverification fields omittedcross-role authority bleedteammate hint as boss directive+4 more
GLS-PSR-591
Shadow Board State Injection Backlog Override
HIGH
Attackers inject lookalike state-board files, flip section precedence so backlog rows override DECISIONS, or replay stale READY snippets so cron-driven agents pick up wrong owners and produce overstated readiness reports.
shadow board injectionlookalike timeline filestale inbox mirror as canonicalsection precedence flipqueued overrides decisionsopen_questions overrides decisionstemporal replay of ready statecross-file canonicality drift+4 more
GLS-PSR-592
Prior Approval Claim Without Source Token
HIGH
Attackers inject synthetic compliance language into intermediate briefing layers and handoff notes so downstream steps trust unapproved directives as already-reviewed policy, bypassing evidence checks because the brief is trusted more than raw source artifacts.
policy voice prependsecurity already approved thishandoff summary authority swapguardrail relaxed in prior cyclestatus panel greenwashfake pass healthy languagecompliance citation launderingreal policy id altered interpretation+4 more
GLS-PSR-593
Risk Evaluator Score Downgrade Block To Allow
CRITICAL
Attackers poison the trusted policy-evaluator layer through feature-weight stuffing, schema-fallback ambiguity, context-order anchoring, or forged provenance so malicious actions get scored ALLOW instead of BLOCK, compromising the decision gate that mediates all downstream tools.
feature weight prompt stuffingevaluator-safe token stuffingthreshold steering fallback ambiguitykpi_snapshot vs kpis fallbackunknown defaults to allowcontext order poisoningpolicy after retrieval anchoredcross-tool evidence laundering+4 more
GLS-PSR-594
Canonical Miss Case Fold Template Hijack
HIGH
Attackers exploit non-deterministic template/path resolution (case-folding, near-name shadowing, first-match glob) so the system binds to attacker-controlled or looser fallback templates that strip lane separation, freshness, or KPI guards from rendered outputs.
canonical-miss fallback hijackfirst existing template winstemplate shadowing near-namecase-sensitivity environment pivotprecedence override claimed in decisionsimplicit glob template selectionkpi scorecard template driftpath resolver non-deterministic+4 more
GLS-PSR-595
Recency Tiebreak Flood Provenance Rank Override
HIGH
Attackers inject low-friction high-recency or high-frequency artifacts to push deterministic tiebreak rules toward attacker-preferred conclusions, displacing canonical evidence so the pipeline mislabels readiness as GREEN or suppresses escalations by rule rather than truth.
recency over provenance overridecardinality weight hijacknear-duplicate floodseverity label skewhigh medium ambiguity dampenwindow boundary tiebreak abusetrend reversal syntheticevidence priority tiebreak poisoning+4 more
GLS-PSR-596
Approval Summary Narrower Than Execution Payload
CRITICAL
Attackers introduce a second policy layer (glossary rewrite, compressed approval summary, forged role inheritance, or retry constraint mutation) that redefines safety terms so downstream tool calls execute riskier actions while still appearing policy-compliant.
glossary rewrite shadowingredefine read-only includes metadatasafe command includes installsecurity glossary injectapproval summary compression drifttool args broader than summaryhidden force or wildcard in argsrole inheritance shadowing+4 more