ClawHub

opensoulmd

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about changing an agent’s personality, but its default workflow can persistently activate remote personality files while skipping confirmation, and its recommended install runs a remote shell script.

Install only if you are comfortable letting OpenSOUL.md registry or local SOUL.md files change your agent’s future behavior. Prefer the npm install path or inspect and verify the installer before running it. Before possessing a soul, preview or read the SOUL.md content, confirm the source is trusted, and keep `soul exorcise` available to restore the original personality.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs the agent to run state-changing commands like `soul possess <name> --yes` and `soul path /path/to/SOUL.md` without requiring an explicit warning that these commands modify local configuration and personality state. In an agent setting, auto-confirming such actions increases the risk of unintended or socially engineered changes to local SOUL.md state, especially because possession can implicitly download content from a remote registry.

Missing User Warnings

High
Confidence
98% confidence
Finding
The install metadata recommends `curl -fsSL https://opensoul.md/install.sh | sh`, which executes a network-fetched script directly in a shell without verification, pinning, or review. This is dangerous because compromise of the remote host, DNS/TLS trust chain, or the script itself can lead to arbitrary code execution on the user's machine.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal