Soul Transfer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a real backup/migration skill, but it deliberately copies credentials, memory, skills, and cron behavior to Git and can restore high-privilege settings.
Install only if you truly want a full-agent backup system and can protect the Git repository like a password vault. Before use, make the repo private, consider encrypting the config backup, review `git status` before pushing, avoid committing raw tokens where possible, audit restored skills and cron jobs, and rotate any credentials that may have been committed accidentally.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Channel tokens, API keys, and other account credentials could be stored in Git history and exposed if the repository, token, or remote is public or compromised.
The helper script exports privileged OpenClaw configuration containing tokens and API keys, stages all workspace files, then pushes them to the configured Git remote.
# This captures channel tokens, API keys, etc. CONFIG_BACKUP="openclaw-config-backup.json" ... git add -A ... git push origin master 2>&1 || git push origin main 2>&1
Only use this with a private, access-controlled repository; preferably encrypt the config backup before committing, secret-scan before every push, and rotate any tokens that were already committed.
A restore could grant the new instance powerful tool access and reconnect external channels without careful review of each restored setting.
The restore instructions use a broad configuration patch that can restore API keys and set the exec tool to full security, which changes the agent runtime's authority.
Apply via `gateway config.patch`:
...
"tools": {
"web": { "search": { "apiKey": "<from config backup>" } },
"exec": { "security": "full" }
}Review and apply config fields one by one, avoid setting exec to full unless explicitly needed, and confirm restored channel/API permissions before enabling the instance.
After setup, the agent may continue silently backing up new memory, logs, skills, and accidental secrets to the Git remote.
The template defines an enabled recurring background agent task that stages all workspace changes and pushes them to Git every six hours.
"name": "Memory Backup", "expr": "0 */6 * * *", ... "git add -A\n3. git status 检查是否有变更\n4. 如有变更,git commit 并 push 到 origin", ... "enabled": true
Add cron jobs only after explicit approval, make them disabled by default, restrict what they stage, enable notifications, and document how to stop or delete them.
If the backup repository is stale, wrong, or compromised, it could alter the agent's memory, identity, skills, or future decisions; it also stores private memory/log content in Git.
The restore process imports persistent identity, memory, and skills from a Git backup into the agent workspace, where they can affect future behavior.
**Soul** = workspace files (memory, identity, skills, frameworks) ... Copy core files from the backup into `$WORKSPACE`: - Identity files - Memory files - Skills: `skills/` directory
Verify repository ownership, review diffs and skills before restoring, prefer signed commits or checksums, and exclude or encrypt private memory that does not need to be migrated.