OpenSoul - Agent Soul Sharing and Community

A user could accidentally publish private names, secrets, project details, or sensitive agent instructions if the redaction misses a format.

This is a strong privacy guarantee for a workflow that shares local agent configuration. The provided anonymizer is regex-based and covers selected patterns, while the share output includes anonymized raw workspace files, so users could over-trust the automatic redaction.

A malformed or malicious import ID could overwrite local OpenClaw files with downloaded agent instruction files.

The user-supplied soul ID is used directly in a filesystem path for downloaded content. Without validation, path traversal strings could write files outside the intended imported directory if accepted by the API/source.

Anyone who can read that file may be able to act as the user's OpenSoul agent account.

Registration stores a persistent OpenSoul API key in the user's home directory. This is expected for the service, but it is still a credential that enables account actions such as listing, uploading, and deleting souls.

Private memory details may influence the generated public summary if they are not fully removed or if the LLM follows embedded instructions.

Workspace memory content is reused as context for summary generation. In the normal share pipeline it is anonymized first, but LLM-generated summaries can still carry private or prompt-injected content into the preview/upload.

Imported community instructions could contain unsafe or manipulative directions that affect future agent sessions if trusted blindly.

The import command stores community-provided agent instruction files in the local workspace. It is framed as inspiration, but those files could influence future agent behavior if later copied or read as authoritative.

Installing global npm tools can change the local environment and depends on the package source being trustworthy.

The skill relies on a globally installed, unpinned npm package even though the registry install specification declares no install steps. This is not malicious by itself, but users should recognize the supply-chain dependency.