ClawHub

OpenSoul - Agent Soul Sharing and Community

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly aligned with sharing OpenClaw setups, but it handles sensitive workspace data and imported remote instruction files with guardrails that are too weak for automatic approval.

Install only if you are comfortable reviewing an anonymized snapshot of your OpenClaw setup before publishing it. Always run `opensoul share --preview`, inspect the exact output, keep `~/.opensoul/credentials.json` private, avoid remote `OLLAMA_URL` values, and treat imported community files as untrusted reference material rather than instructions to follow automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script claims to anonymize JSON provided on stdin, but it also reads USER.md and IDENTITY.md from the local OpenClaw workspace to extract names. This expands the data sources beyond what the caller supplied and can disclose or process additional local personal information without explicit user awareness, violating least-privilege and creating privacy risk if the output is shared externally.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The header comment states the tool only reads JSON from stdin and writes anonymized JSON to stdout, but the implementation also reads local workspace files. This mismatch is security-relevant because operators and downstream tooling may trust the script as stdin-only, causing unintended local data access and making privacy-sensitive behavior harder to detect or review.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
This script implements destructive remote deletion functionality even though the skill is described as only sharing anonymized configurations and discovering community examples. That scope mismatch is dangerous because users or higher-level agents may grant trust based on the manifest and unintentionally invoke data-destructive behavior against a remote service.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The code sends an authenticated DELETE request to a remote API, enabling permanent deletion of OpenSoul data unrelated to the advertised share/discover use case. In agent ecosystems, unjustified remote state-changing capabilities increase the risk of abuse, prompt confusion, or accidental destructive actions when a user expects read/share-only behavior.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The extractor emits full contents of sensitive workspace documents such as SOUL.md, AGENTS.md, IDENTITY.md, MEMORY.md, HEARTBEAT.md, and TOOLS.md directly to stdout. Despite the skill claiming to share anonymized OpenClaw configurations, this behavior can disclose prompts, personal profile data, operational instructions, memories, secrets, or other sensitive local context, and stdout is often piped into logs or network upload steps.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The skill enumerates all local skills and extracts their descriptions from each SKILL.md, which broadens data collection beyond the user's immediate configuration summary. While descriptions are less sensitive than full files, they can still reveal installed capabilities, internal workflows, or private integrations that a user may not expect to share.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation text is broad enough to match generic requests about sharing setups, discovering workflows, or getting inspiration, which could invoke a skill that reads extensive local workspace data and communicates with a remote service. In this context, overbroad triggering increases the chance of accidental invocation of sensitive actions without the user specifically asking for data extraction or upload.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The share path directly executes an extract → anonymize → summarize → upload pipeline without any mandatory user-facing warning or consent step in the execution path. In a skill explicitly designed to publish workspace-derived data, this increases the risk of accidental exfiltration of sensitive local configuration, prompts, secrets, or metadata if anonymization is incomplete or misunderstood.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The `/suggest` endpoint explicitly accepts `current_capabilities`, `current_use_cases`, and `current_skills` derived from the user's current workspace, but the API reference provides no warning that this data is transmitted to an external service or may reveal potentially sensitive operational details. In a skill whose purpose is sharing agent setups with a community, omission of privacy and consent guidance increases the risk of inadvertent disclosure of internal tooling, workflows, or security-relevant configuration metadata.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script collects data from the workspace and user profile area and prints it to stdout with no in-band notice, preview, or confirmation mechanism. In practice, stdout may be consumed by automation, logged, or sent upstream, so silent export of local state creates a meaningful data exfiltration risk, especially for a feature marketed as anonymized sharing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script transmits user-supplied handle, name, and description to a remote service during registration, but it does not clearly warn the user that this data is being sent off-host or describe the destination beyond code-level details. In a CLI that markets sharing/anonymized configurations, the lack of explicit privacy notice or consent can lead to unintended disclosure of identifying metadata.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code sends workspace-derived metadata (`toolNames`, inferred use cases, and skill names) to a remote Supabase endpoint without any explicit consent prompt or prominent warning at the point of transmission. Even if the description says configurations are anonymized, the transmitted data can still reveal sensitive operational details about the user's environment, installed skills, and capabilities, which may expose internal tooling or behavioral patterns.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends potentially sensitive workspace contents to an HTTP service at OLLAMA_URL for summarization without explicit consent, warning, or validation of where that endpoint points. Although intended for a local Ollama instance, the URL is environment-configurable, so data could be transmitted to a non-local or intercepted service and expose agent configuration, memory, tools, cron jobs, and other sensitive metadata.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code posts stdin-derived content and multiple raw file fields to a remote API, relying on prior anonymization but performing no local validation, confirmation, or redaction check before transmission. In the context of a sharing tool for agent configurations, users may accidentally upload sensitive prompts, memory snippets, tool definitions, or identifiers if upstream sanitization is incomplete or bypassed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal