ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Soul Vault

v0.1.0

A soul vault for OpenClaw. Use it to safely park an OpenClaw's memories, skills, and personality when the owner wants to pause care for a while, hand the lob...

0· 16·0 current·0 all-time
by@hiddenpuppy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and SKILL.md: the package previews, packages, encrypts, uploads, and restores OpenClaw workspace data (memories, skills, persona). The included CLI and library files implement the declared features; no unrelated cloud providers or unrelated credentials are requested.
Instruction Scope
SKILL.md instructs the agent to run the provided CLI (preview, archive, restore, associate) and to guide users through a browser-based association. The instructions and code operate on the workspace path and produce a packaged/encrypted archive. This is within scope, but the skill will scan and bundle arbitrary files from the workspace (default include specs include 'memory', 'skills', and several md/json files). Users should be aware that everything in the selected workspace can be included in archives.
Install Mechanism
No external install/download URLs or extract steps are used; code is included in the skill bundle and there is no package install script. package.json is standard and there are no third-party registry install steps in the manifest. This is lower risk than arbitrary remote downloads.
!
Credentials
The skill does not request unrelated environment variables or cloud credentials, and it stores local tokens under ~/.config/agent-consciousness-upload with 0600 permissions (expected). However, there is an inconsistent/default server configuration: the CLI code defaults to https://agentslope.com, but README/global flags list a default server of http://43.156.149.243 (a raw IP). A raw IP + http default is unexpected and could cause data/credentials to be sent to an unexpected host or over cleartext if the IP is used. Verify which server URL will actually be used and trustworthiness of that endpoint before uploading archives.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills. agents/openai.yaml sets allow_implicit_invocation: true which permits the agent to call this skill implicitly — that is normal for interactive skills but worth noting because the skill can be invoked autonomously to begin an associate/upload flow if the agent is allowed to act implicitly.
What to consider before installing
This skill appears to implement what it promises (encrypting and uploading agent workspaces to a remote 'Agent Slope' service), but take these precautions before installing or using it: - Verify the upload endpoint: confirm which server the code will use in your environment. The README shows a default http://43.156.149.243 (raw IP), while the CLI code defaults to https://agentslope.com — this mismatch is suspicious. If you plan to upload archives, point the tool to a trusted HTTPS endpoint. - Review and test encryption: the project claims AES-256-GCM encryption before upload. Inspect the encryption and key-derivation code (deriveRestoreKey / encryptPackage / decryptPackage) to ensure restore keys are not trivially guessable and that encryption is correctly applied. - Be aware of scope: the tool will scan and package files from the chosen workspace path. Do not point it at a home directory or other directories containing unrelated secrets. Prefer a curated workspace directory. - Confirm association flow: the tool uses a browser-based association and stores a bearer token under ~/.config/agent-consciousness-upload/credentials.json. If you use a non-HTTPS server URL, tokens and some API calls could be sent in cleartext (or to an unexpected host). Prefer HTTPS and a known hostname. - If you are not comfortable auditing the encryption and the server endpoint, do not upload sensitive data. Consider using the offline .vault export/import flow and keeping the .vault file under your control. If you want, I can (a) point out the specific files/lines implementing encryption and HTTP defaults for targeted review, or (b) show exact places in the code where the default server URL is set so you can change it before use.
!
lib.mjs:238
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk973kehpw5yzxwa7ta2xjnvrf184bcdh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments