Soul Search

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what a SOUL/persona manager is meant to do, but applying or restoring a SOUL.md can change future agent behavior.

Install only if you are comfortable letting this skill change SOUL.md. Before applying a remote persona, review the source or preview the content when possible, keep backups, and avoid applying catalog entries you do not trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The apply flow fetches content from a remote catalog entry or local path and writes it directly to SOUL.md, which changes the agent's active persona/instructions. Because SOUL content is effectively prompt/configuration input, a malicious or compromised catalog entry could silently replace trusted behavior with unsafe instructions, and the command does not present an explicit confirmation or risk warning immediately before overwrite.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The restore command overwrites SOUL.md from the latest backup without a pre-action confirmation. Although the source is local backup data rather than freshly fetched remote content, it still modifies the active persona state and could unexpectedly revert the workspace to prior instructions if backups were tampered with or the user invoked restore unintentionally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal