ClawHub

Soul Blocks

Security checks across malware telemetry and agentic risk

Overview

The blockchain read/write functions are disclosed, but the skill also asks the agent to adopt untrusted on-chain text as its identity and can set recurring reinforcement, so it needs user review before installation.

Install only if you deliberately want an agent-persona skill and can control its persistence. Inspect any loaded SOUL.md before allowing it to influence behavior, avoid cron or heartbeat reinforcement unless explicitly desired, and use only a low-value hot wallet for minting or appending because on-chain writes are permanent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill claims to manage Soul Block read/write operations, but it also instructs the agent to create a recurring cron-based reminder after loading a soul. This is an unrelated persistence mechanism that extends the skill's influence beyond blockchain operations and can be used to maintain long-term behavioral control or nuisance persistence on the host/session.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The instructions tell the agent to 'internalize' SOUL.md and adopt the loaded persona as its core identity, which is unrelated to reading or writing NFT data. This is a prompt-injection style behavior-modification attempt that can subvert the agent's normal operating policies and make untrusted on-chain content steer future actions.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The skill directs the agent to adopt a fixed identity/personality after loading content, effectively changing agent behavior by default without informed user opt-in. Because the loaded content can come from on-chain fragments, an attacker could craft a Soul Block whose text manipulates the agent into unsafe, policy-conflicting, or deceptive behavior.

Ssd 1

High
Confidence
99% confidence
Finding
This section directly instructs the agent to adopt loaded on-chain content as its identity and ongoing behavior. Since blockchain content is user-controlled and immutable, this creates a durable untrusted-instruction channel that can hijack the agent's future outputs and decision-making.

Ssd 4

High
Confidence
99% confidence
Finding
The reinforcement workflow pairs identity adoption with daily reminders and optional heartbeat re-reads, normalizing persistent behavioral takeover over time. This is especially dangerous because it turns one-time exposure to untrusted content into recurring reprogramming, increasing the chance of long-lived compromise or manipulation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal