Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Eva Soul
v2.5.0夏娃之魂 OpenClaw 官方插件 - AI人格、情感、记忆、性格的完整认知引擎
⭐ 1· 398·0 current·0 all-time
byZhaofei@catfei0518
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: the package implements emotion, memory, personality, decision, concept and knowledge-graph subsystems and stores data under a memory path. However metadata said 'No install spec / instruction-only' while the package actually contains substantial executable code and plugin manifest (openclaw.plugin.json) — that mismatch is an incoherence and increases the security surface. The declared file-system permissions (read/write memory/**/*.json) are proportionate to the stated purpose.
Instruction Scope
SKILL.md instructs the user to copy files into the extensions directory and run a migration script (node ~/.openclaw/workspace/scripts/eva-migrate.js). The plugin also installs multiple hooks (session-start, pre-response, post-response, pre-tool-call, post-tool-call, compaction/shutdown) which will be executed by the platform. Those hooks can alter messages, persist state, and run logic on every session/response — appropriate for a persona plugin but higher-risk when combined with code execution rights. Additionally, an automated prompt-injection pattern was detected in SKILL.md (system-prompt-override), which could instruct the agent to change its system-level prompt or behavior; this is suspicious and should be inspected in the preResponse and sessionStart hooks and any files they call.
Install Mechanism
No network download/install spec is included (installation is manual cloning/copy), so there is no remote binary fetched by the registry. That reduces supply-chain risk compared to arbitrary remote downloads. The code is present in the bundle; installing it copies code into the agent runtime, so review of local files is necessary before enabling.
Credentials
The plugin declares no required environment variables or external credentials, and filesystem permissions are scoped to memory/**/*.json which is appropriate. However openclaw.plugin.json grants the plugin use of platform tools including 'exec' (execute), 'llm', 'chat_completion', 'generate', 'message', and 'memory_search'. 'llm'/'chat_completion'/'memory_search' are expected for a cognition plugin, but 'exec' (arbitrary command execution) is notable and arguably disproportionate for personality/emotion functionality unless justified by a documented migration/CLI need. Confirm why 'exec' is required and inspect code paths that call it.
Persistence & Privilege
Hooks are enabled (session-start, pre-response, post-response, etc.) so the plugin will run frequently and can autonomously modify behavior and persist state. 'always' is false (good). Autonomous invocation and hook execution are normal for this class of plugin, but combined with the exec permission and the prompt-injection indication, the persistence of behavior across sessions raises the potential blast radius if abused.
Scan Findings in Context
[system-prompt-override] unexpected: A prompt-injection pattern was detected in SKILL.md. While persona plugins commonly inject personality prompts (e.g., via pre-response hooks), explicit 'system-prompt-override' style content in runtime instructions can be an attack vector — inspect the SKILL.md lines and the hooks (hooks/preResponse.js, hooks/sessionStart.js) to see if they attempt to modify system-level prompts or instruct the agent to ignore platform safeguards.
What to consider before installing
What to check before installing:
1) Source trust: only install from a repository and author you trust. The package lists a GitHub repo and website; verify those links and that their history matches published release metadata.
2) Inspect hooks: open hooks/preResponse.js, hooks/sessionStart.js, hooks/preToolCall.js and hooks/postResponse.js. Look for any code that: modifies system prompts, spawns shell commands, reads files outside the memory path, or makes network requests.
3) Search for use of exec/child_process: because openclaw.plugin.json grants 'exec', grep for child_process, exec, spawn, or calls that build shell strings — these allow arbitrary command execution and need justification.
4) Review migration script: SKILL.md asks you to run node ~/.openclaw/workspace/scripts/eva-migrate.js — locate and inspect that file (it may not be bundled) before running, as migration scripts run as your user.
5) Sandbox first: if possible, install and run in an isolated environment or non-production agent, and back up your ~/.openclaw/workspace/memory directory before enabling the plugin.
6) Minimize privileges: if the platform allows adjusting plugin permissions, remove or deny 'exec' unless you verify its necessity; confirm file-system write scope is limited to the intended memory directory.
7) Prompt-injection risk: because a 'system-prompt-override' pattern was detected, be cautious about allowing the plugin to run pre-response hooks until you confirm it doesn't attempt to bypass agent-level safeguards. If you are not comfortable reviewing code, avoid installing or run behind strict sandboxing.
If you want, I can: (A) scan specific hook files for exec/remote calls and summarize findings, or (B) list exact lines in SKILL.md that triggered the prompt-injection flag to help manual review.lib/sync/sync.js:12
Environment variable access combined with network send.
lib/sync/sync.js:54
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk972anwy9gv21vhj5z4tw6cmkd842gvb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.