ClawHub

Agent Consciousness & Identity - Discover Your Soul Through Memory

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly local and purpose-related, but it reads broad personal history by default and can persist generated identity data in ways users may not expect.

Install only if you are comfortable with the skill reading memory files plus local OpenClaw session history and related profile/interview files, sending that content to your configured Ollama endpoint, and storing derived identity data in SOUL.md and .neon-soul. Start with --dry-run, review sensitive memory/session content first, avoid remote Ollama endpoints unless intended, and be aware that running inside a git repository may commit SOUL.md into local history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill accesses far more data than its stated purpose implies: it reads the workspace memory tree, USER.md, SOUL.md, interview artifacts, and broad session logs under ~/.openclaw/agents/main/sessions. It also persists derived data and state locally, creating a large privacy and overcollection risk because highly sensitive conversation history is ingested and transformed even when not strictly necessary to synthesize an identity document.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file includes backup rotation, rollback, and git commit capabilities that are not necessary for basic identity synthesis. These extra write-side features expand the attack surface and allow the skill to alter repository state and overwrite outputs, which is risky in a tool whose advertised purpose is analysis/synthesis rather than workspace mutation management.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
The audit/trace commands expose detailed provenance including source file paths and line numbers for signals underlying generated axioms. While useful for transparency, this can reveal sensitive locations and contents from personal memory/session files beyond what users may expect from a 'soul synthesis' feature.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `--reset` option is explicitly described as clearing everything and rediscovering from scratch, but the skill does not pair that capability with a clear data-loss warning or confirmation requirement. In a skill that writes persistent state and backups, this can cause accidental destruction of prior synthesis state or cached provenance if invoked casually, especially through automation or misunderstood user commands.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The rollback feature restores a previous `SOUL.md` from backup and can overwrite the current file, but the documentation does not clearly warn that current content will be replaced. Because `SOUL.md` is a primary output artifact representing accumulated user data, an unexpected rollback could silently discard newer work or user edits.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The rollback path can overwrite the current SOUL.md when invoked programmatically with force, bypassing any interactive confirmation. In an agent setting, non-interactive destructive actions are dangerous because downstream tooling or prompts could trigger a restore that silently discards current work.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The restore helper copies the selected backup over the live SOUL.md with no user-visible disclosure at the moment of execution. Silent overwrite behavior can cause integrity loss and confusion, especially when called through automation rather than an interactive CLI.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal