ClawHub

OpenSoul - An immutable, private soul for agent Self-reflection, self-improvement and on-chain economic activities.

Security checks across malware telemetry and agentic risk

Overview

OpenSoul is a coherent blockchain memory and audit-log skill, but it asks users to handle wallet and PGP private keys while encouraging permanent logging of potentially sensitive agent activity without enough safeguards.

Review this carefully before installing. Use only a new low-balance or testnet BSV wallet, never an existing wallet with meaningful funds. Do not log prompts, personal data, secrets, raw queries, document names, or confidential business details to the blockchain; log only minimal redacted metadata or encrypted commitments. Avoid the private-key handoff workflow, do not use passphrase-less PGP keys, and treat local backup JSON files as sensitive records that need encryption, restrictive permissions, and deletion policies. Do not run the external install script unless you separately audit the cloned repository.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (25)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documented GPG batch generation example includes %no-protection, which creates an unencrypted private key despite nearby guidance telling users to use a strong passphrase and protect secret material. In this setup guide, users are explicitly handling blockchain wallet credentials and encrypted logs, so encouraging passphrase-less private keys materially increases the chance of key theft and decryption of sensitive log data if the file or host is compromised.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The agent handoff example explicitly packages and transfers the BSV private key and PGP private key as part of a 'soul export'. This normalizes credential export and duplication, which can immediately compromise wallet funds, encryption secrecy, and the integrity of the agent identity if the bundle is intercepted, logged, or mishandled.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file is described as a passive configuration template, but importing it triggers BACKUP_DIR.mkdir(...), which performs filesystem writes as a side effect. Hidden import-time side effects are risky because they can surprise downstream code, violate least astonishment, and create directories in environments where imports are expected to be read-only.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples encourage logging agent actions and details to a blockchain without prominently warning that blockchain writes are effectively permanent and may expose sensitive prompts, metadata, or user activity. In an agent skill context, developers may copy these patterns directly, causing irreversible disclosure of operational or user data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The research-agent example logs search queries, document names, and session summaries, all of which can reveal user interests, internal workstreams, or confidential research topics. Because this skill is about agent memory and audit logging, the context makes the risk more serious: implementers are likely to preserve and reuse exactly this sensitive telemetry.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The multi-agent example normalizes sharing logs across agents and handling PGP private keys/passphrases without warning about trust boundaries, recipient access, or key-management failures. In a collaborative agent system, cross-agent sharing materially increases exposure because one compromised agent or mishandled key can reveal data intended for a limited set of participants.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The error-handling example writes backup logs to a local JSON file without warning that sensitive telemetry may be retained in plaintext on disk. This creates a straightforward disclosure risk through local compromise, backups, shared workstations, or accidental inclusion in source control or artifact uploads.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The summary promotes immutable blockchain logging, public verifiability, and audit trails, but does not clearly warn users that data written to a blockchain may be permanently retained and potentially deanonymized or exposed through metadata. In a skill intended for AI agents handling operational history and memory, this omission can lead to sensitive prompts, actions, identities, or collaboration details being stored in a way that cannot be easily deleted or corrected.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This is a true security issue because the command-line example silently disables passphrase protection on the exported private key without any immediate warning in the snippet itself. Given the skill's context of storing potentially sensitive agent logs and credentials, an unprotected PGP secret key undermines the stated confidentiality model and makes accidental disclosure or host compromise far more damaging.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes immutable, publicly verifiable blockchain logging as a core capability, but it does not place an immediate, explicit warning near that guidance that actions and possibly sensitive prompts, outputs, or metadata may become permanently public. In a skill intended for AI agents and developers, this omission can lead users to log sensitive operational data under the mistaken assumption that audit logging is inherently safe or private.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The deployment guidance explicitly instructs users to monitor logs on a public block explorer, which reinforces a workflow of publishing and reviewing data publicly without a corresponding privacy warning at the point of use. Because blockchain records are durable and broadly accessible, users may expose sensitive agent activity, business logic, or user-derived data with no practical way to retract it afterward.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill promotes storing agent actions, memory, and audit logs on a public blockchain, but does not prominently warn that blockchain publication is effectively permanent and broadly discoverable. Users may assume audit data is private or reversible, causing sensitive prompts, task details, or metadata to be irreversibly exposed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples log task actions, queries, token usage, and detailed activity structures without clearly warning against inclusion of sensitive user content. In practice, developers often copy examples directly, which can lead to persistent storage and possible on-chain disclosure of prompts, searches, and other private operational data.

Missing User Warnings

High
Confidence
99% confidence
Finding
The agent handoff example includes exporting private keys as transferable state, but lacks strong warnings or safeguards about credential theft and identity compromise. Anyone obtaining that export can impersonate the agent, decrypt historical data, and spend associated blockchain funds.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The troubleshooting example generates a new blockchain private key and prints the WIF private key directly to stdout. Even in documentation, normalizing the practice of displaying secret key material is dangerous because terminal logs, shell history capture, screenshots, CI logs, or shared support transcripts can expose reusable credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to export secret PGP keys to a plaintext ASCII-armored file without any warning about the sensitivity of that file. This creates a realistic path to credential compromise because exported private key files are easy to exfiltrate, mishandle, back up insecurely, or leave behind on disk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The debug logging example logs the full transaction payload, which may include sensitive business data, identifiers, addresses, metadata, or other confidential contents destined for blockchain submission. Debug logs are often retained centrally and broadly accessible, so encouraging raw payload logging materially increases the chance of secondary data exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code reads a private credential from the environment and initializes a logger designed to persist session data to blockchain, but it provides no explicit consent, privacy warning, or data-classification checks before transmitting potentially sensitive content. In an agent template, this is especially risky because downstream developers may inherit the behavior and unknowingly send prompts, task details, or user data to an immutable external system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When flush fails, pending logs are written to local disk in JSON form without encryption, permission hardening, or user warning. If those logs contain prompts, task data, or secrets, any local compromise, backup sync, or shared-system access could expose sensitive information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script explicitly flushes audit logs to a public blockchain and only mentions balance/connectivity if the operation fails; it does not clearly warn users that logged content may become publicly accessible and effectively immutable. Even though the sample data shown is innocuous, real-world adaptations could include queries, dataset names, timestamps, session identifiers, or other sensitive operational metadata that cannot be retracted once published.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The code automatically creates a local backup directory without explicit user acknowledgement or a prominent warning, which can lead to unexpected local persistence of operational data. In an agent/security context, silent file writes may expose sensitive logs or metadata to the local filesystem and conflict with operator expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
User-provided search queries and derived session metadata are logged through a blockchain-backed audit system, and the code later flushes those logs to an immutable external ledger. Search terms can contain sensitive business, personal, or investigative information, and writing them to persistent public or semi-public storage without explicit notice, consent, minimization, or redaction creates a serious confidentiality and privacy risk.

Ssd 3

Medium
Confidence
90% confidence
Finding
The implementation guidance encourages persistent logging of task descriptions, results, and reflection data that may contain user-supplied or model-derived sensitive information. Because the skill is centered on durable history, this increases the chance of long-term retention, replay, and secondary disclosure of private data.

Ssd 3

Medium
Confidence
88% confidence
Finding
The best-practices section explicitly endorses high-detail logging of every tool call, token usage, and intermediate step, which can capture sensitive prompts, outputs, and operational context. In a persistent-memory skill, that guidance materially raises privacy and confidentiality risks beyond ordinary application logging.

Ssd 3

Medium
Confidence
89% confidence
Finding
The research pattern searches prior logged content and reuses matched historical details, encouraging indefinite retention and resurfacing of old query or task data. This increases the likelihood that sensitive or outdated user information is re-exposed in future sessions or outputs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal