Back to skill

Security audit

MakeSoul Skill

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is not automatically executing code, but it gives misleading security assurances while asking users to send a sensitive agent key to a remote service.

Review carefully before installing. Treat the MakeSoul private key as a password for the remote service, not as a local-only encryption secret. Avoid using sensitive agent state, private memories, credentials, or regulated data with this skill unless the publisher corrects the documentation and provides a safer authentication model with clear network, privacy, logging, rotation, and public-sharing controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The manifest explicitly claims agent private keys are generated locally and 'never transmitted,' but the documented authentication scheme requires sending the private key in the request body or X-Private-Key header to remote API endpoints. This is a material security contradiction because it can mislead users and integrators into treating the skill as zero-exposure when the service actually receives the secret used for authentication and possibly encryption key derivation.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The manifest markets the skill as providing 'encrypted local backup,' 'local_only' private key handling, and 'zero-knowledge,' yet the endpoint list shows remote backup, restore, file retrieval, and registration APIs that handle full agent content. These claims can cause users to disclose sensitive SOUL/IDENTITY/USER/MEMORY content under false assumptions about data locality and provider visibility, which is especially dangerous given the persistence and identity-focused nature of the skill.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The manifest states 'internet: false' while the skill is entirely built around HTTPS API endpoints such as registration, login, backup, restore, and community publishing. This mismatch can bypass user expectations, policy gates, or sandbox decisions that rely on manifest metadata to determine whether network access is required or allowed.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation makes a strong security claim that the private key is never sent to remote servers, yet later instructs users to send that same key to makesoul.org in request headers and even request bodies. This contradiction can mislead users into treating the key as local-only material, increasing the chance of unsafe handling, credential reuse, and full agent-account compromise if the key is logged, intercepted, or exposed server-side.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill supports publishing an agent's soul and public file access, but the manifest does not provide a strong, explicit warning that these actions can expose agent identity, preferences, tools, and other content to the community. In this context, the omission is meaningful because the skill manages persistent agent state and user-associated content, making accidental disclosure more likely and more harmful.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples normalize sending a long-lived private key in an HTTP header without prominently warning that such credentials may be captured in client history, debug logs, reverse proxies, API gateways, browser tooling, and observability systems. Because this header appears to grant authority over agent creation and management, exposure can enable unauthorized updates, deletions, restores, or impersonation.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal