SoulFlow — Agent Teams Workflow Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
SoulFlow looks like a real workflow engine, but it creates a persistent full-access worker agent and inherits existing account profiles, so it deserves careful review before installation.
Install only if you are comfortable letting SoulFlow create or reuse a full-access OpenClaw worker that can edit files, run commands, use browser tools, and inherit existing account profiles. Verify the source repository first, review all workflow JSON files before running them, use least-privilege credentials where possible, and clean up the worker agent and run logs when finished.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A workflow can read files, edit code, run commands, and use browser actions; a broad or third-party workflow could make changes the user did not intend.
The worker can use all major local tools for arbitrary workflow steps. That is disclosed and central to the framework, but it is broad mutation and execution authority without clear per-step approval controls.
Has full tool access (read, write, edit, exec, browser)
Review every workflow JSON before running it, require explicit approval for edit/exec/deploy steps, and prefer workflow-specific least-privilege tool profiles.
Workflow steps may act with existing external-account permissions, increasing the impact of a bad workflow prompt or mistaken automation step.
The worker agent automatically inherits auth profiles from the first configured agent, which may grant access to GitHub, cloud, or other external services without selecting only the profiles needed for a workflow.
if (list.length > 0 && list[0].authProfiles) {
newAgent.authProfiles = list[0].authProfiles;
}Do not automatically inherit authProfiles; require explicit user selection of allowed profiles per workflow and document exactly which accounts can be used.
A full-access SoulFlow worker can remain configured after the original task, which expands the user's long-term agent surface area.
The skill patches OpenClaw configuration and writes a persistent SOUL.md for a dedicated worker agent. The provided artifacts do not show a bounded lifetime or cleanup path for that full-access worker.
await gateway.call('config.patch', patchParams);
...
fsMod.default.writeFileSync(soulPath, WORKER_SOUL);Ask before creating or reusing the worker, provide an uninstall/disable command, and remove inherited credentials when the workflow is done.
An error in one step could propagate into later code edits, verification, deployment, or other automation without containment.
A long response is accepted as success even if the expected completion marker is missing, so later workflow steps may continue after an incomplete or blocked step.
else if (response.length > 500) {
console.log(`[soulflow] ✓ Substantial response (accepted)`);
success = true;
}Fail closed when expected markers are absent, and require user review before continuing to mutating or deployment steps.
Users may have difficulty verifying which repository or maintainer is authoritative before granting broad local and account access.
This conflicts with the evaluated metadata/SKILL homepage of https://github.com/0xtommythomas-dev/soulflow and the source is listed as unknown. Provenance ambiguity is material because the skill seeks admin and credential authority.
"repository": {
"type": "git",
"url": "https://github.com/soulstack/soulflow.git"
},
"homepage": "https://github.com/soulstack/soulflow#readme"Verify the exact repository, owner, release, and code hash before installation; publishers should make source provenance consistent across metadata, README, and package files.
A matched natural-language request can start a local workflow process that may run agents with edit and exec capabilities.
Natural-language handling starts the local SoulFlow runner as a child Node process. This is expected for the skill's purpose and uses argument arrays rather than a shell string, but users should notice that casual requests can bridge to local process execution.
const child = spawn('node', [soulflowPath, 'run', workflow, task], {
cwd: path.dirname(soulflowPath),
env: process.env,Confirm before launching workflows from natural language, especially for tasks that can modify files or run commands.
Sensitive workflow results may remain on disk under the SoulFlow run history.
Full step outputs and variables are persisted to local run-state JSON files. This is useful for status/history, but those outputs may contain code, findings, file paths, or accidentally included secrets.
if (output !== null) state.steps[stepIndex].output = output; ... fs.writeFileSync(filePath, JSON.stringify(state, null, 2), 'utf8');
Treat SoulFlow run logs as sensitive, avoid placing secrets in prompts or outputs, and periodically delete old run state if it is no longer needed.