ClawHub

SoulFlow — Agent Teams Workflow Skill

Security checks across malware telemetry and agentic risk

Overview

SoulFlow is a disclosed workflow automation skill, but it grants a persistent worker broad authority to run commands, edit files, change OpenClaw config, and reuse existing credentials.

Install only if you trust the publisher and intentionally want broad local automation. Review built-in and custom workflows before running them, avoid using profiles with production cloud or code-hosting credentials unless necessary, back up OpenClaw config first, run in a sandbox for sensitive work, and delete the worker agent or .soulflow logs when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The client requests 'operator.read', 'operator.write', and 'operator.admin' during the gateway handshake even though the skill is described as a general workflow framework. This violates least-privilege and means compromise or misuse of this skill could grant broad control over the local OpenClaw operator surface far beyond what is needed for simple chat/session handling.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This handler converts natural-language input directly into execution of a local child process and can invoke a security-audit workflow without any authorization, policy check, or scope restriction in this file. In an agent setting, this broadens user-controlled capability from conversation routing to local workflow execution, which can trigger sensitive scans or follow-on actions unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The worker prompt explicitly instructs the agent to use file-read, file-edit, and command-execution tools and to 'do the actual work,' creating a broadly empowered autonomous executor. In the context of a generic workflow framework, this grants far more capability than minimally necessary and can turn untrusted workflow/task content into arbitrary tool use, including shell command execution and file modification.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code mutates global agent configuration by creating a new agent with a full tool profile, then copies authProfiles from the first existing agent into it. This is a privilege-escalation and credential-propagation risk: a workflow runner should not silently inherit another agent's authentication context, because compromise or misuse of the worker would expose external accounts and high-impact operations.

Description-Behavior Mismatch

Low
Confidence
79% confidence
Finding
The runner sends completion and failure messages into the main agent session without explicit opt-in, including workflow name, run ID, task excerpts, and selected result variables. While likely intended as a convenience feature, it can leak sensitive task content or outputs across session boundaries and creates behavior not clearly disclosed by the manifest.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The verify step explicitly instructs the agent to use the `exec` tool to run relevant test suites, but it does not constrain which commands may be executed or require a predefined allowlist. In an agentic workflow, test commands can be influenced by repository contents or prior workflow outputs, so this broad execution capability expands the skill from code inspection/editing into potentially unsafe command execution.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The README encourages automatic invocation from broad natural-language requests like security audits, bug fixes, and feature development, without clear confirmation or scope restrictions. In this skill's context, invocation can lead to multi-step isolated agents with full read/write/exec/browser access, so ambiguous triggering materially increases the risk of unintended privileged execution on local projects.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill encourages automatic invocation from broad phrases like 'build', 'add', 'fix', 'audit', and similar common requests. This can cause the agent to launch a high-privilege workflow framework unexpectedly, turning ordinary user intent into execution of a tool that can read/write files, create agents, and use inherited credentials.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The agent-facing instruction says to invoke the skill whenever the user requests a workflow such as security audit, bug fix, or feature build, which is an ambiguous activation condition for common tasks. In this skill, ambiguity is especially dangerous because invocation leads to execution through a worker agent with full tool access and inherited authProfiles, increasing the chance of unintended privileged actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code launches a subprocess immediately after matching a user message, with no user-facing warning, consent gate, or dry-run behavior. In conversational agents, silent execution of local workflows is dangerous because ambiguous or prompt-injected input can cause unintended actions before the user understands that code or automation is being run.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The worker setup writes to the filesystem and alters runtime configuration without any user-facing warning or consent, including creating agent directories and writing SOUL.md. Silent persistence and config changes are dangerous because they create durable privileged state the user may not expect, making later abuse harder to detect and revert.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Workflow step input and resulting agent output are transmitted through gateway/chat APIs, and later summarized back to the main session, without any explicit disclosure or consent flow. If tasks or outputs contain secrets, proprietary code, or operational details, this can cause unintended data exposure beyond the user's expected execution boundary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow explicitly directs the agent to use `edit` to apply changes and says "Do the actual fix," but provides no built-in confirmation gate, dry-run mode, or user-visible warning before modifying files. In a general-purpose workflow framework, this increases the risk of unintended or over-broad repository changes if invoked on ambiguous, malicious, or poorly scoped bug reports.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The workflow is a general-purpose deployment pipeline whose description and step prompts allow production-impacting actions based on a freeform `{{task}}` input, without clear activation boundaries, environment scoping, or authorization checks. In an agent framework, broad deploy-capable workflows increase the chance of accidental or prompt-driven production actions being invoked in the wrong context.

Missing User Warnings

High
Confidence
97% confidence
Finding
The production deployment step instructs the agent to execute real deployment mechanisms such as `git push`, `rsync`, or `docker deploy` if the build succeeds, but it provides no mandatory confirmation, approval gate, dry-run mode, or target validation. Because this skill is explicitly designed for automation, a mistaken invocation, ambiguous task input, or prompt injection into `{{task}}` could directly cause unauthorized or destructive production changes.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The workflow is framed as a general-purpose feature development pipeline with no trigger constraints or scope limitations, yet it instructs the agent to explore the project, read arbitrary files, and write/edit code across the repository. In a broad workflow framework, this increases the chance of unsafe or unintended invocation, allowing untrusted task input to drive repository-wide inspection and modification without clear boundaries or approval gates.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The workflow is framed as a general security audit that can be broadly invoked against an arbitrary codebase via `{{task}}`, without clear scoping, approval gates, or constraints on what repositories or files may be analyzed. In an agent framework, this increases the chance of unintended execution on sensitive projects and makes downstream file access and modification steps more dangerous because the workflow presents itself as broadly applicable security automation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The `fix` step instructs the agent to directly modify the codebase using `edit` and explicitly says 'Do NOT skip fixes' and 'apply them,' but the workflow provides no user-facing disclosure, dry-run mode, or approval checkpoint before making changes. This can lead to unauthorized or unsafe code modifications, including breaking production logic, altering security-sensitive files, or introducing regressions based on imperfect scan results.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal