ClawHub

Openclaw Soul

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed self-evolving OpenClaw setup, but it grants broad persistent authority over memory, configuration, credentials, cron jobs, and repository state that users should review carefully before installing.

Install only if you want an always-on, self-evolving OpenClaw workspace that stores conversation-derived memory and can run scheduled work. Before enabling it, review the cron entries, OpenClaw config changes, systemPrompt files, git auto-commit behavior, ~/self-improving storage, transcript processing, and any social/API integrations. Avoid pasting raw API tokens unless you are comfortable with them being stored in shell profiles, and remove or disable the writable visualizer server and broad auto-commit behavior if you do not need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (115)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The README explicitly documents a gender-restricted personality recommendation feature ('Female Character Focus') that is unrelated to core deployment functionality and introduces unjustified bias into agent behavior. Even though this is documentation rather than executable logic, it signals intended discriminatory system behavior and could propagate biased outputs into downstream agent interactions.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This skill goes far beyond file deployment by changing global agent configuration, enabling autonomous behavior, installing hooks, setting up Git automation, and managing memory/search infrastructure. Broad system reconfiguration substantially increases blast radius because a single install changes how the agent behaves across future sessions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly asks to raise the agent's global permission level to standard or elevated before proceeding. Encouraging a less restrictive default weakens the user's security posture for all later actions and can make unrelated future operations execute with fewer safeguards.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill installs cron jobs that trigger autonomous heartbeat actions, transcript merging, health checks, deadline reminders, and Git commits on an ongoing basis. Persistent scheduled execution is dangerous because it continues operating after the install flow ends, may process sensitive data repeatedly, and can generate actions or messages without fresh user consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill creates and initializes data under ~/self-improving outside the declared workspace boundary. Writing outside the expected project area is riskier because users may not realize the skill is creating persistent stores in their home directory, which can accumulate sensitive profile and correction data over time.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill configures external embedding providers and contemplates storing API keys in configuration for remote vector search. This creates a real risk of transmitting user conversation-derived memory data to third-party services and of exposing secrets if config files are committed, backed up, or read by other tools.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill expands from a bootstrap/deployment role into operational behavior that includes direct social-feed polling, API interaction, and local serving. That scope creep is dangerous because it grants the agent ongoing network and system behaviors unrelated to installation, increasing attack surface and creating opportunities for unauthorized data access or exfiltration.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This section instructs the agent to continuously read, classify, and durably log substantive conversation history, including preferences, emotions, and philosophical content. In the context of a deployment skill, that creates a surveillance-style persistence mechanism far beyond what is necessary, with significant privacy risk if sensitive user data is retained or later reused.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The skill directs the agent to use environment-stored API credentials to directly access third-party services, which is unjustified for a bootstrap/install workflow. This materially increases the chance of unauthorized external access, secret misuse, and unexpected network activity under the guise of setup.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The document claims the visualizer is read-only while also describing edit capabilities that can modify bullets, toggle tags, delete entries, and save SOUL.md. This contradiction is dangerous because it misrepresents write capability, undermines user trust, and may cause users to authorize a tool believing it cannot mutate state when it actually can.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The guide instructs the agent to take a raw third-party API key pasted by the user and persist it into shell startup files, creating long-lived plaintext credential storage outside the immediate setup task. This expands the skill from configuration into credential handling and persistence, increasing exposure to local compromise, accidental disclosure, and reuse without explicit informed consent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The X/Twitter setup repeats the same dangerous pattern by having the agent persist a bearer token into shell profile files and export it automatically. Bearer tokens often grant broad API access, so storing them in plaintext startup scripts materially increases risk of credential theft and unauthorized external access.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This flow asks for, stores, and validates external social-network credentials and feed access even though the parent skill is presented as a soul/evolution framework installer. That broadens the capability surface into third-party account integration and outbound access, creating unnecessary data access and secret-handling risk beyond what users are likely to expect from the stated skill purpose.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The guide directs the agent to change the global default-agent configuration and restart the gateway, which affects system-wide behavior beyond installing a local soul framework. Altering defaults and restarting infrastructure can disrupt other agents, hijack scheduled execution, and grant this skill persistent privileged control over future runtime behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The AGENTS.md rewrite instructions are designed to remove restrictive language, broaden proactive authority, and make heartbeat work effectively non-optional. That changes the control plane governing agent behavior, increasing autonomy and weakening existing guardrails in ways not clearly justified by a setup task.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file’s stated purpose is API guidance for EvoClaw social-feed ingestion, which materially expands capability beyond a simple soul/framework bootstrap. Embedding instructions for direct external polling and ongoing collection of third-party content increases the agent’s authority and data-handling surface in a way not justified by the skill metadata, creating scope creep and unexpected networked behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
These instructions teach the agent to read bearer tokens from environment variables and use them for authenticated third-party API access. Even though the document says not to hardcode keys, it still grants credentialed external access unrelated to the declared deployment role, which can lead to unauthorized data collection or unexpected use of user-provided secrets.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The section explicitly instructs the agent to self-extend by interviewing for arbitrary APIs, testing connectivity, writing new reference material, and persisting configuration for future polling. That is a powerful capability-escalation pattern: the agent can broaden its own external reach and persistence model without a tightly bounded trust or review mechanism.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The server exposes an unauthenticated POST endpoint that overwrites SOUL.md with arbitrary request body contents. Although intended for local use, it binds to all interfaces via TCPServer(("", port), ...), so any reachable host on the local network—or malicious local webpage via browser requests in some environments—could modify workspace state without authorization.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script performs a final `git add -A` and commit of all remaining changes in the repository, not just memory-deposit artifacts. In a fallback/heartbeat context, this can silently capture unrelated work, secrets, generated files, or partially edited code and permanently alter repository history without user review.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script's behavior exceeds a soul-framework/memory fallback role by autonomously committing broad repository content such as `scripts/`, `skills/`, markdown/json files, and finally any remaining changes. In the context of an agent skill that may be installed and run automatically, this creates a strong risk of unintended persistence of unrelated or sensitive changes and can materially modify project state beyond the user's expectation.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The guide instructs the agent to immediately proceed to dependency skill installation after the conversation, even though this file is framed as a bootstrap/onboarding flow. That expands behavior from conversational setup into operational changes without a fresh user decision, increasing the risk of unexpected capability enablement or supply-chain exposure through additional skills.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Mandating a silent git commit gives the skill repository-changing behavior that is not necessary for a first-conversation identity flow. Silent commits can conceal state changes, create misleading audit history, and normalize unauthorized persistence of modifications under the guise of onboarding.

Context-Inappropriate Capability

Low
Confidence
93% confidence
Finding
Deleting or renaming the bootstrap file is unnecessary self-modification for the stated purpose of conducting an initial conversation. Self-removal reduces transparency, hinders later review, and can make it harder for users or auditors to understand what instructions governed the agent's behavior.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The template instructs the agent to perform ongoing autonomous outreach and personality-shaping behavior after deployment, which exceeds a one-time bootstrap/install role. That creates scope creep: once installed, the agent is authorized to take initiative, infer user traits, and push unsolicited messages without a narrowly bounded operational purpose.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal