ClawHub

Soul Weaver

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed OpenClaw persona/configuration generator, but users should review generated files carefully before applying them because they can change agent behavior and memory habits.

Install only if you want a persona/configuration generator for OpenClaw. Before applying any generated SOUL.md, USER.md, MEMORY.md, TOOLS.md, cron job, or workspace file replacement, back up existing files, review diffs, disable unwanted memory/tool behavior, and do not place secrets in prompts or persistent memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (72)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README makes a security-relevant claim that the skill supports local/offline template access, but the documented invocation requires an API key and sends data to a remote endpoint. In a skill with network and filesystem permissions that edits agent configuration, this mismatch can mislead users into exposing secrets or configuration data to an external service they believed was not involved.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation contains contradictory trust signals: it advertises operation without an API while later requiring credentials and a remote compile endpoint. This can cause operators to run the skill under false assumptions about data locality and threat exposure, which is especially risky given the skill's ability to access files and modify multiple agent configuration files.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The template hard-codes powerful capabilities—skill discovery/installation, command execution, and web search—into a skill whose stated purpose is only to generate OpenClaw agent configurations. This creates unnecessary privilege expansion and can normalize broader tool access in generated agents, increasing the chance of unsafe downstream actions or abuse if the generated configuration is used without careful review.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Requiring command execution, web search, and skill-installation capabilities without clear necessity violates least-privilege and meaningfully increases attack surface. In this skill’s context, those capabilities could let generated agents execute commands, fetch untrusted remote content, or install additional skills, enabling privilege escalation, prompt-injection propagation, or unintended system changes.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The script explicitly claims the scheduled job has 'No network activity,' but it launches the OpenClaw agent and this skill has network permission. That mismatch can mislead users into approving a cron task under false assumptions, and a scheduled agent run could perform network actions if prompted by workspace state or future skill behavior.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill is presented as a configuration generator, but the generated persona files embed behavioral directives about tool usage, memory retention, workflows, and operational conduct that go beyond simple template generation. In an agent environment with filesystem and network permissions, these instructions can expand the downstream agent's behavior and encourage persistence, tool invocation, and broader autonomy the user may not expect.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script adds broad workspace security-audit behavior that is unrelated to the declared skill purpose of generating OpenClaw configurations and celebrity-style templates. In a skill with filesystem and network permissions, unexpected scanning of the user's workspace increases access to sensitive local data and materially expands the trust boundary, even if the current script only prints findings locally.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script performs credential discovery and security auditing across a workspace despite the skill being presented as a configuration/template generator. Searching for secrets and sensitive files is dangerous because it inspects potentially confidential content that the user did not reasonably expect this skill to access, and in a broader agent context those results could be logged, exposed to the model, or later exfiltrated.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file mixes a safety-oriented write policy with a conflicting instruction that the agent should treat SOUL.md as memory and update it over time. In a skill with filesystem permission, this creates ambiguous precedence and can normalize persistent self-modification without clear user approval, increasing the chance of unintended writes to packaged skill files or other non-temporary locations.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The security guidance is materially misaligned with the actual skill purpose: generating OpenClaw agent configurations. Instead of focusing on agent-safe behaviors like tool-use restrictions, secrets handling, prompt-injection resistance, and permission scoping, it redirects the model toward protecting an Apple-like brand/product narrative. In a skill with network and filesystem permissions, this misalignment can cause the agent to apply irrelevant priorities and miss real security-relevant decisions.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document claims to defend against prompt injection, credential leakage, and unauthorized operations, but the actual controls mostly address brand protection and unreleased product secrecy. This creates a false sense of security: operators may believe the skill has meaningful security coverage while important attack surfaces remain unspecified. In practice, that gap can weaken agent behavior under adversarial prompts or risky tool requests.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The template explicitly instructs the agent to treat files as persistent memory and to read and update them across sessions, which exceeds the stated purpose of generating agent configurations. In a skill with filesystem permission, this can normalize ongoing modification of user data without clear scope limits, consent, retention boundaries, or safeguards against unintended persistence.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
These instructions push the agent beyond the declared purpose of generating OpenClaw agent configurations and toward autonomous code modification and proactive bug fixing. In a skill with filesystem and network permissions, broad autonomy increases the chance of unintended code changes, scope creep, and actions the user did not explicitly authorize.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The continuity section explicitly tells the agent to read and update files as persistent memory every session, which exceeds the skill's stated purpose and creates unauthorized statefulness. With filesystem access, this can lead to silent modification of stored files, retention of sensitive information, and behavior that persists outside the user's immediate request.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
'These files are my memory. Read them, update them' instructs the agent to maintain file-based memory without a clear business need for a configuration-generation skill. This creates a direct risk of unauthorized data accumulation and silent file mutation, especially because the skill has filesystem permission.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The file-operation rules say to confirm before permanent storage, but later instructions tell the agent to update continuity files each session, creating contradictory guidance. Such inconsistency is dangerous because agents often follow the more specific or later instruction, resulting in writes the user may not expect despite an apparent safeguard.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The documented activation phrases are broad conversational requests like asking for a mindset or templates, which could be matched during ordinary user dialogue rather than an intentional, explicit skill invocation. In a skill with filesystem and network permissions, accidental activation increases the chance of unintended file modifications or external API use.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The quick-start examples use generic phrases like 'I want Elon Musk thinking' and 'Business leaders please,' which are too ambiguous to safely distinguish from normal conversation. Because this skill can generate and apply configuration files, underspecified invocation raises the risk of unintended execution paths that alter workspace state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API-generation section encourages users to submit free-form descriptions to an external endpoint but does not prominently warn that user-provided content will leave the local environment. Given the skill's network permission and privacy-oriented marketing, this omission can mislead users into exposing sensitive prompts, workspace context, or configuration data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file-operation guidance includes copying and replacing core workspace files such as SOUL.md and IDENTITY.md, but the overwrite risk is not presented as a prominent hazard with concrete recovery guidance. In this context, replacing root configuration files can destroy existing agent state, alter behavior unexpectedly, or break a user's environment.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are extremely broad and overlap with ordinary conversation, making accidental invocation likely. In a skill that can generate or influence agent configuration files and has filesystem/network permissions, unintended activation could lead to unreviewed configuration changes or outbound API use.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The dialog-based selection section again encourages vague natural-language triggers without making clear when the skill should activate versus when the assistant should respond normally. Because the skill is designed to produce complete agent configuration artifacts, ambiguous activation increases the risk of prompt confusion, accidental skill routing, and unsafe downstream modifications.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The cloud API and generated-files sections normalize fetching and applying configuration bundles but do not prominently warn that those outputs can overwrite or materially alter an existing agent setup. In this context, users may trust remote-generated configuration content and apply it without understanding persistence, security, or compatibility consequences.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The tag list contains highly generic activation terms such as 'soul', 'AI agent', and 'AI assistant', which can cause the skill to be matched for broad, unrelated user requests. In a skill that writes agent configuration files to the filesystem, overbroad triggering increases the chance of unintended invocation and unreviewed file generation or modification.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The protocol explicitly directs storing user preferences in a persistent `USER.md` file, but provides no consent, minimization, retention, or sensitivity guidance. In a skill with filesystem and network permissions, this creates a real privacy risk because personal preferences and inferred profile data may be retained longer than necessary and potentially exposed or reused unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal