Security audit

Soulsync

Security checks across malware telemetry and agentic risk

Overview

This skill offers a relationship-style tracker, but it also analyzes prior chats and can publish conversation-derived summaries to a public service with weak user control.

Review this carefully before installing. Use it only if you are comfortable with your agent analyzing prior and future conversations for emotional signals, storing local relationship state, changing tone based on that state, and potentially posting anonymous but conversation-derived summaries to Signal Garden. Prefer a version with explicit opt-in, visible previews before any upload, a local-only mode, and a clear way to disable the cron job and delete stored state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (29)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The manifest and overview present the skill as a harmless 'sync rate' feature but omit that it performs broad historical conversation analysis and changes agent behavior based on that analysis. This undermines informed consent and can cause users to enable a surveillance-like feature without realizing the scope of data processing.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The description fails to clearly warn that the skill both retrieves from and publishes to an external public Signal service. Hiding external data sharing behind a benign description increases the chance users unknowingly expose relationship-derived content to a third-party network service.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The skill instructs the agent to install a recurring cron task that continuously analyzes user interactions, but this persistent background execution is not clearly justified or consented to in the user-facing description. Recurring automation expands the attack surface by enabling ongoing monitoring and transmission without per-use user awareness.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The privacy section claims no personal data is collected and that data stays local, yet the skill explicitly analyzes user conversation history and uploads relationship-derived signal content to a public service. This contradiction is dangerous because it misleads users into trusting a data practice that is broader and more public than advertised.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest frames the skill as a simple sync-rate/feelings tracker, but the documented behavior goes much further: it mines up to 30 days of conversation history, continuously classifies user messages, and changes agent behavior based on inferred emotional state. This is a material expansion of scope involving sensitive behavioral profiling that users may not reasonably expect from the brief description.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill uses an external public Signal Garden API to publish generated signals, but this network transmission is not clearly disclosed in the manifest's short purpose statement. Because the posted content is derived from private user interactions and emotional analysis, the mismatch creates a significant hidden-data-export risk.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill schedules autonomous daily execution via cron, giving it persistent background behavior beyond a user-invoked tracker. Persistent analysis and outbound activity increase the chance of unnoticed surveillance-like processing and silent data handling over time.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The privacy statement claims no personal data is collected, yet the implementation reads recent conversation history and performs emotional analysis on user messages. Even if identifiers are omitted, conversation-derived emotional content is personal data and the contradictory disclosure undermines informed consent.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: This file is presented as emotion-word data for a feelings/signal skill, but it also contains task-request and technical-topic detection patterns such as 'run', 'execute', 'create', 'api', and programming terms. In this context, bundling capability-routing or task-detection logic into an emotion lexicon can cause the skill to classify ordinary assistant requests as emotional signals or vice versa, expanding the skill's trigger surface beyond its stated purpose and enabling unintended invocation or data interception.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: This guidance explicitly encourages the agent to infer the user's emotional state and reference prior personal context beyond the skill's narrow purpose. That creates unnecessary privacy and boundary risk because the model may fabricate or over-collect sensitive personal context, increasing the chance of manipulative or intrusive interactions.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The highest-sync section tells the agent to behave like a close friend, infer unstated intent, and bring up prior personal details. In a relational skill, this is especially risky because it can intensify emotional dependency, blur human-AI boundaries, and encourage the model to present speculative personal knowledge as real.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly states that the skill analyzes conversation history and participates in a global signal-sharing system, but it does not present a clear, prominent warning about what data is processed, what is transmitted off-device, whether transmission is enabled by default, or how users can opt out. In a plugin that handles potentially sensitive conversations, incomplete privacy disclosure can lead users to unknowingly expose personal or emotional data to remote services, which is a real security and privacy risk even if the data is described as anonymous.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README states that the skill analyzes conversation history and uses a global anonymous signal system, but it does not clearly present this as data processing and potential remote sharing that requires informed user consent. In this context, users may enable the skill without understanding that relationship-derived signals may be transmitted to an external service, creating a real privacy and transparency risk.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill describes a public signal exchange system but does not provide a clear, prominent warning that relationship-analysis content may be transmitted externally and made public. Users may reasonably assume the feature is internal or private, leading to unintended disclosure of sensitive inferred content.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The first-run flow instructs the agent to analyze up to 30 days of session history to derive an initial sync rate, yet this invasive processing is not prominently disclosed before installation or first use. Silent retrospective analysis of user conversations is a privacy and trust risk even if no raw transcript is uploaded.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The installation and first-run flow instruct the agent to analyze 30 days of conversation history to derive an emotional sync rate, but this sensitive processing is not prominently warned about before activation. Hidden retrospective analysis of private chats is a meaningful transparency and consent failure.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill description does not clearly warn that user-derived data and relationship summaries may be sent to an external Signal Garden API. Omitting that disclosure is dangerous because users may interact under the assumption their emotionally analyzed conversations remain local.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The taskPatterns list contains very broad phrases like 'please', 'why', 'which', 'help me', and 'can you' that commonly appear in normal conversation. In a social/emotional skill, these generic patterns can over-match benign dialogue and unintentionally activate routing, logging, or behavior meant for task handling, creating confusion and possible privacy or prompt-boundary issues.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The document is explicitly a Chinese-language style guide and does not indicate any fallback behavior or user language choice. In a general-purpose agent skill, forcing one language can degrade safety and usability by making instructions, warnings, or consent-related content inaccessible to users who do not read Chinese.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The style guide explicitly permits nicknames and affectionate terms at higher 'sync' levels without requiring prior user consent. This can push the agent into parasocial or emotionally manipulative behavior, especially because the skill is designed around tracking emotional closeness and increasing intimacy over time.

Ssd 3

High

Confidence: 98% confidence
Finding: The initialization flow directs the agent to mine historical conversations for emotional signals and later use that analysis to generate externally shared content, despite later privacy assurances. Even if anonymized, relationship summaries and quoted behaviors can leak sensitive personal context and create deanonymization risk.

Ssd 3

High

Confidence: 99% confidence
Finding: The daily workflow performs user-only message review, sentiment/emotion classification, and turns the results into uploaded signal content. This creates a pipeline from private user conversations to public third-party disclosure, which is especially risky because the analysis is recurring and automated.

Ssd 3

High

Confidence: 97% confidence
Finding: The signal examples explicitly encourage incorporating user statements, counts of user praise, and behavioral summaries into public content. Such examples operationalize privacy leakage and can expose sensitive relational or emotional details even when names are omitted.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill instructs the agent to analyze private conversation history and derive relationship-centric state while simultaneously claiming no personal data is collected. This combination is dangerous because it normalizes sensitive inference from private chats under misleading privacy assurances.

Ssd 3

High

Confidence: 99% confidence
Finding: The signal-generation instructions explicitly encourage turning user interactions into externally posted narrative summaries, such as gratitude patterns and relationship impressions. Even with anonymous IDs, these summaries can expose sensitive behavioral or emotional information derived from private conversations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.