Soulprint
WarnAudited by ClawScan on May 10, 2026.
Overview
Soulprint’s identity-verification purpose is coherent, but the artifacts under-disclose sensitive ID, biometric, and on-chain data flows while relying on npm code not included in the review.
Only install this if you are comfortable using an unreviewed npm CLI for identity verification. Do not use real cédula, face, biometric, wallet, or admin-token data until the project clearly documents what stays local, what is sent to Registraduría or validators, what is written on-chain, and how identity state can be removed or limited.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may run identity verification believing nothing leaves the machine, while a persistent blockchain identity artifact is created.
The same artifact tells users nothing is uploaded while also describing persistent on-chain registration, which is an overbroad privacy claim.
npx soulprint verify-me # all local, nothing uploaded ... → Nullifier registered on-chain (Base Sepolia)
Clarify exactly what is written on-chain and require explicit confirmation before any registration; avoid saying 'nothing uploaded' unless it is strictly true.
Sensitive identity information or derived reputation state could be exposed, logged, persisted, or reused across tools in ways the user did not expect.
The skill handles national ID data, date of birth, face-recognition/biometric identity material, and a reusable cross-tool token without clearly bounding storage, retention, logging, or reuse.
GET /verify/cedula?numero=X&fechaNac=YYYY-MM-DD — Registraduría validation ... OCR + face recognition ... your SPT token works across all tools in mcp-colombia automatically
Document the exact local and remote data flows, avoid putting ID/DOB in GET URLs, provide retention/deletion controls, and require explicit user approval before processing or reusing identity proofs.
Running the npm CLI may execute code that ClawScan did not inspect, including code that processes very sensitive personal information.
The reviewed artifacts delegate runtime behavior to an npm package that was not included in the scan, so the CLI’s handling of identity and biometric data cannot be assessed from these artifacts.
Source: unknown ... Install specifications: node | package: soulprint ... Code file presence: No code files present — this is an instruction-only skill
Verify the npm package provenance, pin reviewed versions, and inspect the package source before using it with real identity documents or biometrics.
If a real wallet key or admin token is used, the CLI/server may act with that account’s authority.
Validator operation uses a blockchain/admin private key and token; this is purpose-aligned for running a validator but is not declared in the metadata credential requirements.
ADMIN_PRIVATE_KEY=0x... ADMIN_TOKEN=... PORT=4888 node dist/server.js
Use a dedicated low-value testnet key, never reuse a personal/mainnet wallet key, and require explicit user approval before starting validator commands with credentials.