Skillv1.0.0

ClawScan security

Soul Sharing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 16, 2026, 1:22 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (Git-based shared memory) matches the instructions, but it directs the agent to clone and execute code from an external GitHub template and to enable GitHub Actions — a proportionate design but one that introduces non-trivial supply-chain and remote-execution risks that the package does not include or disclose.
Guidance: This skill is coherent in purpose but relies on running code from an external GitHub template and enabling GitHub Actions — both raise supply-chain and remote-execution risks. Before installing: (1) Inspect the template repo (https://github.com/kingcharleslzy-ai/agent-soul) and every script referenced (add_event.py, compile_memory_hub.py, quick_share.sh, and any GitHub Actions/workflows) to ensure they do only what you expect; (2) Keep the repo private and avoid adding secrets to it unless you understand who/what will access them; (3) Do not enable GitHub Actions until you've reviewed workflow definitions — they can run arbitrary code on push; (4) Use least-privilege credentials for git (scoped PAT or SSH key) and avoid granting broad tokens to automation; (5) Consider testing in an isolated environment first (throwaway VM or container) and verify the scripts' behavior before using them with your real identity or production data. If you cannot audit the template and workflows, treat this skill as higher-risk and avoid giving it push access or enabling Actions.

Review Dimensions

Purpose & Capability: okThe name and description describe a Git-native shared-memory/identity layer. The declared runtime requirements (git, python3) match the described operations (clone a repo, run Python scripts, git pull/commit/push). No unrelated credentials or binaries are requested.
Instruction Scope: concernThe SKILL.md instructs the agent (and user) to clone a third-party GitHub template, run repository scripts (add_event.py, compile_memory_hub.py, quick_share.sh, etc.), commit, and push. The skill package itself contains no code — the runtime behavior therefore depends entirely on the contents of an external repository that will be executed locally and (if pushed) may trigger GitHub Actions. It also asks the agent to persist repo path and source id into user startup configs. Executing arbitrary scripts from an external template and enabling Actions expands the attack surface and is a notable concern.
Install Mechanism: noteThis is instruction-only (no install spec), which avoids installing code directly from the registry. However, the workflow depends on a separate GitHub template (primaryUrl). That template — not bundled with the skill — will supply the runtime scripts. Reliance on an external repo/template without bundling the code means you must audit that repo (including any GitHub Actions workflows) before use; the SKILL.md recommends enabling Actions, which could execute workflow code on push.
Credentials: okThe skill declares no environment variables or secrets, which is consistent with its Git-based approach. Practically, the agent/user will need git credentials (SSH keys or tokens) configured in their environment to push to the private repo; the SKILL.md does not request or manage credentials directly. That omission is not inconsistent, but it means credential handling is left to the user and could be a vector for misuse if credentials are over-granted.
Persistence & Privilege: notealways:false and normal autonomous invocation are set (expected). However, the agent is instructed to write, commit, and push to a user repo and to modify user startup configs; combined with the ability to run scripts from the repo and to enable GitHub Actions, this increases the blast radius if the agent or upstream template is compromised. The skill does not request system-wide privileges, but it does request persistent write access to user config and a repo under the user's control.