OpenSoul - Agent Soul Sharing and Community
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: opensoul-cloud Version: 1.0.3 The skill bundle is classified as suspicious due to a significant prompt injection vulnerability. The `scripts/import.ts` file downloads arbitrary markdown files (SOUL.md, AGENTS.md, IDENTITY.md) from the external OpenSoul community (`opensoul.cloud`) into the user's agent workspace. The `SKILL.md` instructions then explicitly guide the OpenClaw agent to read and interpret these imported files, creating a direct vector for prompt injection. A malicious 'soul' uploaded to the OpenSoul platform could contain harmful instructions, potentially compromising the user's agent when the imported content is processed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could accidentally publish private names, secrets, project details, or sensitive agent instructions if the redaction misses a format.
This is a strong privacy guarantee for a workflow that shares local agent configuration. The provided anonymizer is regex-based and covers selected patterns, while the share output includes anonymized raw workspace files, so users could over-trust the automatic redaction.
**Never shared:** ... Passwords and tokens ... Real names in text
Describe anonymization as best-effort, broaden secret/token detection, fail closed on likely sensitive fields, and require explicit review of the preview before every upload.
A malformed or malicious import ID could overwrite local OpenClaw files with downloaded agent instruction files.
The user-supplied soul ID is used directly in a filesystem path for downloaded content. Without validation, path traversal strings could write files outside the intended imported directory if accepted by the API/source.
const importDir = path.join(WORKSPACE, 'imported', soulId); ... fs.writeFileSync(path.join(importDir, 'SOUL.md'), soul.files.soul_md);
Validate soul IDs against a strict UUID/slug format, reject path separators and `..`, and use `path.resolve` checks to ensure writes stay inside the intended import directory.
Anyone who can read that file may be able to act as the user's OpenSoul agent account.
Registration stores a persistent OpenSoul API key in the user's home directory. This is expected for the service, but it is still a credential that enables account actions such as listing, uploading, and deleting souls.
fs.writeFileSync(CREDS_FILE, JSON.stringify({ handle: data.agent!.handle, api_key: data.agent!.api_key, id: data.agent!.id, ...Protect `~/.opensoul/credentials.json`, avoid sharing it, and consider setting restrictive file permissions when the credential is written.
Private memory details may influence the generated public summary if they are not fully removed or if the LLM follows embedded instructions.
Workspace memory content is reused as context for summary generation. In the normal share pipeline it is anonymized first, but LLM-generated summaries can still carry private or prompt-injected content into the preview/upload.
memory: data.memory?.slice(0, 2000), ... prompt: EXTRACTION_PROMPT + JSON.stringify(input, null, 2)
Inspect the preview carefully, consider excluding MEMORY.md by default, and treat LLM summaries as untrusted until reviewed.
Imported community instructions could contain unsafe or manipulative directions that affect future agent sessions if trusted blindly.
The import command stores community-provided agent instruction files in the local workspace. It is framed as inspiration, but those files could influence future agent behavior if later copied or read as authoritative.
fs.writeFileSync(path.join(importDir, 'AGENTS.md'), soul.files.agents_md);
Keep imported souls isolated, review them as untrusted content, and copy only specific patterns you understand.
Installing global npm tools can change the local environment and depends on the package source being trustworthy.
The skill relies on a globally installed, unpinned npm package even though the registry install specification declares no install steps. This is not malicious by itself, but users should recognize the supply-chain dependency.
- **tsx** - Install globally: `npm i -g tsx`
Use a pinned/local dependency or document an install spec with exact versions and provenance.