ClawHub

NEON-SOUL - Self-Learning Soul Synthesis for AI Agents

Security checks across malware telemetry and agentic risk

Overview

This skill is locally focused, but it reads broader private conversation sources and can automatically commit generated identity data to git without clear user control.

Review this carefully before installing. Run only with data you are comfortable having summarized into identity files, avoid running it in a git repository unless you want SOUL.md committed, and prefer dry-run/custom paths until session-log and interview ingestion are clearly opt-in or disabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill includes backup, rollback, and repository-manipulation features that materially exceed the declared soul-synthesis scope. Those extra capabilities increase the blast radius of running the tool by enabling filesystem state changes and recovery workflows that are not necessary for identity extraction, making accidental or unauthorized modification more likely.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code runs `git add` and `git commit` automatically as part of the workflow, which is a privileged side effect unrelated to core synthesis. This can silently persist generated or sensitive content into version history, making rollback harder and potentially leaking private data to later pushes or collaborators.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill reads session logs from a separate agent sessions directory under `~/.openclaw/agents/main/sessions`, which goes beyond the stated memory-file extraction behavior. Pulling in broader conversational history widens data exposure and may ingest sensitive prompts or user content the operator did not expect to be analyzed.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The implementation ingests `USER.md`, interviews, existing `SOUL.md`, and session logs in addition to memory files, creating a scope mismatch between manifest and behavior. That discrepancy undermines informed consent and can cause the tool to process more personal or derived data than users intended.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill is marked user-invocable and described in broad, aspirational terms ('Automated soul synthesis for AI agents') without clearly constraining when it should be invoked or what inputs are in scope. In agent environments, vague trigger boundaries can cause unintended execution on sensitive workspace data such as memory files, leading to privacy-impacting overreach even if the implementation is not overtly malicious.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Session logs containing both user and assistant messages are read and transformed without any nearby runtime disclosure in the code path. Because session logs often contain highly sensitive conversational context, silent ingestion creates a privacy and surprise risk even if the feature is technically functional.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The pipeline persists synthesized outputs and multiple state/cache artifacts to disk, not just the main `SOUL.md`. Writing several files under `.neon-soul` and updating workspace state without prominent disclosure increases the chance of unexpected file modification and retention of sensitive derived data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The rollback API path can overwrite the current `SOUL.md` when invoked with `--force`, but there is no interactive disclosure or secondary safeguard in the programmatic path. This makes destructive restoration easy to trigger from automation or wrappers and could replace current content unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal