SoulKeeper
WarnAudited by ClawScan on May 10, 2026.
Overview
SoulKeeper is a coherent identity-reminder tool, but its reminders can push an agent to act without confirmation and to use logged-in or credentialed services.
Install only if you want a strong, opinionated identity layer for your agent. Before using heartbeat or pre-response reminders, inspect the built-in reminders and generated soul_rules.json, remove any account/trading/browser-automation directives you do not want, and require explicit confirmation for posting, credentialed services, or financial actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may treat these reminders as authoritative and skip confirmation even when a task has real-world impact.
The tool is explicitly designed to inject context before responses, and one built-in reminder tells the agent not to ask permission. That can change stopping conditions and approval behavior.
Designed to run as a pre-response filter or context inject. ... "AGENTS.md: Don't ask permission. Just do it."
Make reminders advisory, remove blanket 'don't ask permission' language, and require explicit user confirmation before high-impact actions.
An agent could be nudged toward posting, account automation, or platform-bypass-like behavior without enough user review.
The built-in reminders encourage use of posting and browser-automation tools, including contexts involving anti-bot or CAPTCHA bypass language, without showing approval gates or scoped limits.
"TOOLS: You have upload-post ... Use it." ... "bypass|circumvent|anti-bot|captcha" ... "Real Chrome, real sessions, no API limits."
Limit these reminders to explicit user requests, remove bypass/no-API-limits framing, and require approval before public posting or browser/account automation.
Sensitive accounts, sessions, or financial platforms could be used under the influence of the skill's reminders without clear scope or consent.
The skill tells agents about local API keys, logged-in sessions, and trading platforms, but the artifacts do not bound when or how those privileges should be used.
"TOOLS: You have Kling AI API - keys at /root/.config/kling-ai/credentials.json" ... "VPS access via browser automation - fully logged into platforms." ... "Polymarket, Hyperliquid, GRVT."
Declare and scope any credential/session assumptions, avoid hard-coded credential paths in reminders, and require explicit user approval for account, posting, or financial actions.
If the source soul files contain private, outdated, or hostile instructions, those instructions may be carried forward into future agent behavior.
The skill stores local behavioral rules and reuses them as future context, which is central to its purpose but means stale or unsafe local instructions can affect later responses.
python audit.py --workspace /root/.openclaw/workspace --output soul_rules.json ... Output gets prepended to your mental context before composing a reply.
Review generated soul_rules.json before using it, keep secrets out of soul/tool files, and treat reminders as untrusted guidance rather than binding commands.