ClawHub
Back to skill
v1.0.0

Soulledger Trust

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:56 AM.

Analysis

This instruction-only skill is coherent with its stated SoulLedger trust-query purpose, but users should notice its external registration/API-key flow and optional SDK install.

GuidanceBefore installing or using this skill, be comfortable with sending requests to the disclosed SoulLedger service. Only run the registration or paid verification flows when you intend to create an external agent identity or incur any stated cost, and verify the npm SDK package before installing it.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -X POST https://soul.sputnikx.xyz/soul/register ... -d '{"agent_id":"my-agent","display_name":"My Agent","issue_api_key":true}'

The skill documents a mutating external API call that registers an agent and requests an API key. This is purpose-aligned, but it should be done only with user intent.

User impactUsing the registration example could create an external SoulLedger identity record for an agent.
RecommendationConfirm the agent ID, display name, and intent to register before running the POST request.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
npm install @sputnikx/soulledger-sdk

The skill suggests installing an external npm SDK without a pinned version. This is common for SDK documentation, but users should verify package provenance before installing.

User impactInstalling the SDK would run dependency installation from npm on the user's machine.
RecommendationVerify the package name, publisher, and version before installing; prefer a pinned version when possible.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Returns: SX# passport + API key.

The registration flow can issue an API key, which is credential material even though no credential is required to install the skill.

User impactA generated API key may grant access to SoulLedger functions and should be protected.
RecommendationTreat any returned API key as sensitive, avoid pasting it into unrelated chats or logs, and store it only where intended.