ClawHub
Back to skill

Security audit

Soulmatic

Security checks across malware telemetry and agentic risk

Overview

Soulmatic is a persona-management skill, but it can automatically influence agent behavior and persist or delete local memory files beyond simple persona auditing.

Install only if you want an agent persona system that can read local persona files, affect future assistant behavior, and write persistent workspace memory. Require explicit confirmation and a diff before any write, delete, compress, evolve, or memory action, and review IDENTITY.md, SOUL.md, MEMORY.md, LORE.md, and memory/persona-changelog.md before enabling automatic startup or drift hooks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly instructs file reads and writes, including deleting `memory/_reanchor.md`, writing persona files, and persisting context, yet it declares no explicit permissions. That creates hidden capability surface area and prevents informed consent or policy enforcement around filesystem and environment access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill description frames the capability as persona binding/auditing/evolution, but the documented behavior extends to setup workflows, template/library reads, backups, and overwriting workspace identity files. This mismatch undermines operator expectations and can trick an agent or user into authorizing broader file operations than the summary suggests.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill authorizes persistence to general memory files like `MEMORY.md`, `LORE.md`, and changelogs beyond the narrow purpose of binding and auditing persona files. Broad persistence increases the risk of unauthorized state injection, cross-session prompt poisoning, and accumulation of sensitive or manipulative instructions in shared workspace memory.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill states that `audit` does not write, but its mandatory bind logic can delete `memory/_reanchor.md` merely from being triggered or loaded. That violates command safety expectations and introduces a side effect during what appears to be a read-only operation, which can destroy forensic or recovery state.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is configured to activate on broad lifecycle events like session start and vague behavioral conditions such as 'agent notices drift.' Excessively broad activation increases the chance that file reads, re-anchoring, or writes occur in ordinary conversations without a deliberate security boundary.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases include ordinary language like 'anchor,' 'rebind,' and 'remember who you are,' which can easily appear in normal conversation or be injected by untrusted content. This makes it easier for a prompt or document to unintentionally or maliciously trigger persona file access and state changes.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The on_startup hook is defined in broad natural language ('bind identity from IDENTITY.md') without any activation guard, validation step, or trust boundary for the referenced file. In a persona-binding skill, this is more dangerous than usual because it can cause automatic loading and influence of agent behavior at session start from local content that may be stale, unreviewed, or tampered with.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal