soul-guardian
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it claims—monitor and optionally restore selected agent workspace files—but users should notice that it can overwrite protected files, keep sensitive local snapshots, and run on a schedule if enabled.
Before installing, review the current SOUL.md, AGENTS.md, and other protected files, then initialize the baseline only when you are confident it is correct. Consider running check --no-restore first, store guardian state outside the workspace with restrictive permissions, and enable cron/launchd only if you want ongoing background enforcement.
VirusTotal
62/62 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the approved baseline is wrong, stale, or poisoned, an automatic check could revert intentional edits to SOUL.md or AGENTS.md.
The normal workflow can overwrite core agent workspace files when drift is detected. This is disclosed and purpose-aligned, but it is still high-impact local mutation.
Side effects: can auto-restore protected files to their approved baseline ... restore mode intentionally overwrites drifted files
Initialize baselines only after reviewing the protected files, keep backups, and use --no-restore or change the policy to alert-only if you do not want automatic overwrites.
If you install the scheduler, the guard can keep operating after the initial setup and may restore protected files without a fresh prompt each time.
The optional launchd installer can create a recurring background LaunchAgent that starts at load and checks for drift on an interval.
"StartInterval": int(args.interval_seconds), "RunAtLoad": True, ... "ProcessType": "Background"
Enable scheduling only if you want continuous monitoring, review the generated plist/cron entry, and know how to disable or remove it if the behavior is no longer desired.
Other local users, backups, or sync tools could expose sensitive agent instructions or memory if the state directory is not protected.
The skill stores persistent local copies and diffs of agent instruction and memory files, which may contain sensitive context.
The external state dir can contain approved snapshots, patches, and quarantined copies of sensitive prompt/instruction/memory files. Keep permissions restrictive
Use an external state directory with restrictive permissions such as chmod 700, avoid syncing it to public locations, and protect backups of the state directory.