Security audit

soul-generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed persona-file generator with expected web search and local SOUL.md output, with no evidence of hidden execution, credential use, exfiltration, or destructive behavior.

Install from the reviewed ClawHub artifact when possible. If using the GitHub clone instructions, verify the repository and source first. Review generated SOUL.md files before relying on them, avoid putting sensitive personal details into persona files, and delete or edit personas that should no longer shape future assistant behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger phrases include very generic language such as '生成', '我是', and '帮我生成一个人格', which can overlap with normal conversation and cause the skill to activate unexpectedly. Because this skill writes persona files and may launch web search in celebrity-distillation mode, accidental activation can lead to unintended file creation, prompt-context changes, or external data retrieval without clear user intent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill states that it outputs a file to '~/.openclaw/workspace/soul/[名字]/SOUL.md' but does not prominently warn that local files will be created or modified. In combination with broad triggers, a user may invoke the skill without realizing it persists content on disk, which can create privacy, consent, and workspace-integrity issues, especially if the generated file later influences model behavior.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The skill hard-codes a Chinese honorific/polite response style ('必须使用敬语') and mandatory sentence structure for all interactions without any user opt-in, locale check, or task-based justification. This can override user preference, reduce accessibility and appropriateness across contexts, and create prompt-level coercion that is especially problematic in a general-purpose persona-generation skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal