Skillv1.0.1

ClawScan security

opensoulmd · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 17, 2026, 2:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (managing SOUL.md personalities) is coherent, but the recommended install method (curl | sh from an external domain) and the ability to point at or overwrite agent skill paths are risky and deserve caution.
Guidance: This skill appears to do what it says (manage SOUL.md personalities) but you should proceed cautiously: do not run the recommended `curl | sh` install unless you trust and have audited https://opensoul.md/install.sh — piping remote scripts to a shell is dangerous. Prefer installing via npm or reviewing the installer script first in a safe environment. Be aware that 'soul possess' can load a SOUL.md from any local path (it will read local files) and 'soul path --skills' or 'soul install' can modify your OpenClaw skills directory, so avoid running these commands if you haven't inspected the soul binary and registry behavior. If you decide to use it, verify the opensoul.md site and package source, run with --dry-run when possible, and test in a sandboxed or non-production agent first.

Review Dimensions

Purpose & Capability: okThe skill is instruction-only and requires a 'soul' CLI binary to manage SOUL.md personality files and interact with the OpenSOUL.md registry — this matches the name and description. The included npm option also makes sense as an alternative installer.
Instruction Scope: noteInstructions are narrowly focused on the soul CLI (possess, summon, search, banish, path, install/uninstall). However, the commands allow: (1) possessing from arbitrary local file paths (reads local files), (2) changing the skills directory (soul path --skills), and (3) running soul install which can modify the agent's OpenClaw skill set. These capabilities are plausible for the stated purpose but increase the blast radius (can read or write files and alter skill installation locations).
Install Mechanism: concernThe SKILL.md recommends installing via `curl -fsSL https://opensoul.md/install.sh | sh` — piping a remote script to sh is high-risk. The alternative (npm package 'opensoul') is lower risk but still involves fetching code from a registry. The install URL is not a clearly-known third-party release host; the domain matches the project name but is an external script source and should be treated as untrusted until audited.
Credentials: okNo environment variables, credentials, or config paths are requested by the skill metadata. That is proportionate to the described functionality.
Persistence & Privilege: notealways is false and the skill isn't force-installed. However, the soul CLI can install/uninstall the OpenSoul skill into OpenClaw and can set the skills directory — actions that modify the agent's installed skills. This is functionally consistent but elevates the potential for persistent changes; consider this when granting permission to run installers or 'soul install'.