ClawHub

OpenClaw Soul Vault

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says at a high level, but it sends sensitive readable archive metadata to a remote service and has weak controls around secrets and restores.

Install only if you trust Agent Slope with readable summaries and metadata about your agent, not just encrypted blobs. Use your own strong restore key rather than the auto-generated conversation-based key, preview archive contents carefully, prefer a fresh or backed-up workspace for restores, and verify the server URL before linking your account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The authentication UX and copy are explicitly for associating with an external 'Agent Slope' account, which does not match the manifest-described purpose of a local OpenClaw memory/personality vault. This mismatch is dangerous because it can mislead users into granting credentials or linking a third-party account they did not expect, expanding trust and data-sharing beyond the disclosed skill behavior.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This code performs remote network authentication and token-backed account validation against an external server, which exceeds the plain-language expectation of a 'soul vault' that sounds local and self-contained. In this skill context, the risk is elevated because the described data includes memories, skills, and personality, so undisclosed remote auth strongly implies possible off-device handling of highly sensitive companion data.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code comments promise a deterministic restore key, but the implementation appends a random suffix and the current year, so the same workspace will produce different keys over time and across invocations. In a backup/restore flow, this can cause users to record a key that later cannot be reproduced, leading to lockout or failed restoration of stored agent state.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README explicitly describes archiving to and restoring from Agent Slope's server, but it does not prominently warn users that highly sensitive agent data is transmitted to a remote service during online flows. Even if the content is encrypted client-side, users should be clearly informed that metadata, ciphertext, account linkage, timing, and remote dependency are involved, because the skill handles identity-, memory-, and personality-like data that users may consider especially sensitive.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The archive flow activates on broad phrases like 'anything similar', which can cause the skill to interpret ordinary conversation as consent to begin a sensitive backup workflow. In this context the action concerns exporting memories, skills, and personality data to a remote service, so ambiguous triggering increases the risk of unintended data handling even if later steps request confirmation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The restore flow is triggered by broad examples such as 'wake up' or 'I want my agent back', which may overlap with normal conversation and accidentally initiate a high-impact recovery process. Because restore operations can overwrite or recreate workspace state, ambiguous activation is risky even if the skill later asks for an archive ID and key.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill enables implicit invocation without any visible trigger constraints, so the agent may invoke this skill opportunistically based on vague semantic matches rather than explicit user intent. Because this skill handles archival and restoration of highly sensitive 'memories, skills, and personality' data and involves account/device association flows, unintended invocation could expose private state, confuse consent boundaries, or cause unauthorized upload/restore actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The archive path scans local workspace files, packages them, encrypts them, and uploads the ciphertext plus extensive metadata and projections to a remote server, but this library code provides no built-in consent gate, warning, or data-minimization control at the point of transmission. In this skill’s context, the data includes memories, personality, user/agent documents, and skill files, so silent or weakly signaled exfiltration of highly sensitive content is materially dangerous even if encrypted in transit and at rest.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The restore flow writes files into the target workspace and, on conflict, either skips or renames existing files to timestamped backups before replacing them, without any mandatory user-facing warning or approval in this code path. Because restored content comes from a downloaded or local package and can affect memory, skills, and persona files, this can unexpectedly alter a live workspace and introduce malicious or incompatible files.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill explicitly suggests generating a restore key 'from the things you and I have talked about' and later says it was created 'from our conversations,' which encourages derivation from chat history. That is dangerous because prior conversations may contain personal facts, predictable phrases, or even secrets, producing low-entropy or guessable keys while also normalizing use of sensitive user data for cryptographic material.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal