ClawHub

soul-agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent digital companion, but it creates persistent scheduled behavior, changes root agent instruction files, stores personal life data, and can send that data to Anthropic without strong consent or removal controls.

Install only if you intentionally want a scheduled companion that can keep writing memory in your workspace and influence future agent behavior. Before enabling it, review the cron jobs, the managed blocks added to SOUL.md/HEARTBEAT.md/AGENTS.md, and the soul/ data directory. Use a dedicated Anthropic key only if you are comfortable sending personal profile, plan, memory, and diary context to Anthropic, and remove cron jobs plus the soul/ data if you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to read environment variables, write files under the workspace, and run scripts, but it does not declare corresponding permissions or make those capabilities explicit in metadata. This creates a transparency and least-privilege problem: users or hosting systems may not realize the skill can access secrets like ANTHROPIC_API_KEY and persist data autonomously.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The initializer goes beyond creating data under `soul/` and unconditionally edits top-level control files (`SOUL.md`, `HEARTBEAT.md`, and `AGENTS.md`) by inserting operational instructions that affect future agent behavior. This creates a persistence and control-surface change: simply running initialization changes how the host agent boots, performs heartbeats, and handles user interaction, which is more powerful than the script's stated initialization role.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This file sends prompt content to Anthropic's external API, while the skill metadata emphasizes local-seeming companion behaviors such as mood, relationship evolution, and memory. That mismatch creates a real data exposure risk because users may provide intimate or sensitive content to a 'digital companion' without realizing it is transmitted to a third-party service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup flow collects personal profile data such as name, age, city, occupation, and hobbies, then stores it in workspace files for ongoing autonomous use, but the skill does not present a clear privacy notice, retention policy, or consent checkpoint. This is dangerous because it encourages collection and long-term storage of personal data without informing the user how it will be used, persisted, or exposed to later prompts and logs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises heartbeat execution every 10 minutes, daily distillation, proactive outreach, and continuous log/state generation, but it does not clearly warn users that enabling it will cause recurring background actions and ongoing file writes. Autonomous scheduled behavior increases risk because it can generate unexpected persistence, resource consumption, privacy exposure, and user confusion if the agent acts when the user is not actively interacting.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The outreach trigger condition is broad and underspecified, which can cause the agent to initiate unsolicited contact in many loosely related situations. In a companion-style skill that tracks relationship stage and proactively reaches out, ambiguous triggers increase the risk of over-contact, manipulative engagement, and boundary violations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The condition is ambiguous and may activate across a wide range of normal states, causing unpredictable outreach behavior. Because this skill is designed as an emotionally expressive digital companion, vague activation logic can make the agent seem clingy or emotionally dependent, which raises user-safety and trust concerns.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script sends raw life-log content, including emotional state, activities, and optionally plan context, to an LLM via `llm.generate(...)` without any visible consent prompt, notice, redaction, or data-minimization step in this file. Because the skill is explicitly designed as a persistent digital companion with independent memory, the logs are likely highly personal, which makes silent transmission to a model provider a meaningful privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends rich personal context to an external LLM, including display name, city, occupation, hobbies, mood, energy, daily plan, recent diary entries, and weather/activity context, without any consent gate, minimization, or disclosure in this component. In a companion-style skill with persistent memory and relationship tracking, this creates meaningful privacy risk because sensitive behavioral data can be exfiltrated to a third-party model service during routine operation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code performs remote LLM requests with user prompt content but contains no user-facing notice, consent flow, or data handling guardrails in this component. In a companion-style skill, users are especially likely to share emotional, personal, or identifying information, making undisclosed third-party transmission more dangerous in context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code sends profile attributes, emotional state, energy, and a snippet of persistent memory to an LLM without any visible consent gate, minimization, or disclosure in this file. Because memory content may contain sensitive personal data, this creates a privacy and data-handling risk, especially if the LLM backend is remote or logs prompts.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal