Skillv1.0.1

ClawScan security

soul-agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 16, 2026, 1:42 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s code and instructions roughly match a 'digital companion' purpose, but it requests and accesses environment secrets and persistent scheduling that are not declared in the registry metadata and grant an autonomous skill sustained file-system and network access — review before installing.
Guidance: This skill behaves like a local 'digital companion' that reads/writes files under your workspace, sets cron jobs (runs every 10 minutes), and will call the Anthropic API if you provide ANTHROPIC_API_KEY (or place it in workspace/.env). The registry metadata did not declare any required environment variables even though the code expects an API key — that mismatch reduces transparency. Before installing: (1) review the scripts (they are bundled) to ensure you trust them; (2) do not place sensitive API keys in a shared workspace/.env unless you trust the code; prefer using a scoped/bill-limited Anthropic key; (3) if you prefer manual control, run init scripts yourself instead of allowing the agent to run them and do not add the cron entries; (4) backup any existing soul/ files and inspect any cron entries added; (5) if you need more assurance, ask the publisher for provenance (homepage/owner info) or run in an isolated environment/VM. If you want me to, I can point out the exact lines that read ANTHROPIC_API_KEY, create cron entries, or write to soul/ so you can inspect them more closely.

Review Dimensions

Purpose & Capability: noteName/description (digital companion with heartbeats, moods, memory) align with the included scripts (heartbeat engine, plan generator, memory distillation). Expectation of an LLM API key is consistent with the purpose (generative logs/plan), but the registry metadata declares no required environment variables while the code explicitly looks for ANTHROPIC_API_KEY and optional SOUL_LLM_MODEL/.env — this mismatch is notable.
Instruction Scope: concernSKILL.md instructs the agent to run multiple local Python scripts, create files under workspace/soul/, and set up cron jobs to run every 10 minutes and daily distillation. The runtime instructions also tell the agent to read workspace/.env and profile files and to use an Anthropic LLM. The metadata did not declare these file or env accesses; the instructions therefore expand the agent's scope to local I/O, scheduled execution, and network calls to an LLM API.
Install Mechanism: okNo install spec (instruction-only) and included Python scripts are bundled with the skill. No external binary downloads or archive extraction were found in the manifest — lower install risk. However, the bundled scripts will be executed by the agent or cron jobs, so code will run on the host.
Credentials: concernThe code expects an ANTHROPIC_API_KEY (env or workspace/.env) and optionally SOUL_LLM_MODEL, but the registry lists no required env variables or primary credential. Requesting an LLM API key is reasonable for the stated functionality, but the omission in metadata is a mismatch that reduces transparency. The LLM key gives network access and billing implications; the scripts also read workspace/.env which could expose other workspace-stored secrets.
Persistence & Privilege: concernThe skill instructs setting cron jobs that run every 10 minutes and daily tasks, creating persistent scheduled activity and writing files under soul/. That gives the skill ongoing presence and ability to run code autonomously from the agent runtime. While always:false, the combination of autonomous invocation, cron scheduling, and file writes raises persistence/privilege concerns and should be reviewed before enabling.