Back to skill

Security audit

HolySpiritOS

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent religious alignment purpose, but it needs Review because its installer persistently changes agent configuration while using unsafe remote shell execution and unreliable rollback paths.

Install only if you intentionally want a persistent KJV-based alignment layer for your agent. Do not run the documented curl-to-bash commands without first downloading and reviewing the scripts, manually back up the relevant OpenClaw configuration, and verify the paths because the packaged uninstall script may not undo what the installer changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp1

High
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill ships and executes a shell installer even though the manifest declares only write_config permission. That creates a capability mismatch: shell scripts can perform arbitrary filesystem, process, and network actions beyond what users would reasonably expect from the declared permission set, undermining consent and review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior materially exceeds the stated purpose of providing a moral/alignment layer: it modifies persistent agent configuration, creates files under the user's home directory, and relies on remote downloads. That mismatch is dangerous because users may consent to a conceptual alignment skill without appreciating that it performs privileged, lasting system changes that could alter agent behavior or introduce unreviewed content.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README presents the skill as a moral or religious alignment layer, but it also documents behavior that downloads files and modifies local agent state and configuration. That mismatch increases the risk of users consenting to broader system changes than they reasonably expect, especially given the declared write_config permission and references to editing identity-related files.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Documenting installation as `curl ... | bash` instructs users to execute a remote script directly in a shell without prior inspection or integrity verification. This creates a straightforward code execution path where a compromised repository, network path, or later script change can run arbitrary commands on the host.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The README advertises automatic updates to `soul.md`, an identity/configuration artifact, which exceeds what many users would expect from a generic alignment-layer skill. Modifying agent identity or policy files can alter downstream behavior, persistence, and trust boundaries in ways that are difficult for users to audit after installation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill documentation instructs users to execute a remote uninstall script directly from GitHub via a shell pipeline. This is dangerous because it enables arbitrary code execution from changing remote content, repository compromise, DNS/TLS interception edge cases, or supply-chain attacks, all under the granted write_config context and potentially broader user shell privileges.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation claims transparent actions for installation, but later recommends an opaque remote uninstall flow that bypasses transparency and review. This inconsistency increases social-engineering risk by encouraging trust in the skill while normalizing execution of uninspected remote code.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The installer behavior exceeds the stated purpose of a 'Christian alignment layer' by silently fetching remote content and modifying OpenClaw configuration. This is dangerous because users evaluating the skill based on metadata may not anticipate supply-chain exposure and persistent local changes to agent behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script depends on live network downloads from GitHub to install core behavior, but that dependency is not clearly justified by the skill's limited stated function. Remote retrieval introduces tampering, availability, and drift risks, especially since the downloaded files are trusted without checksum, signature, or version verification.

Scope Creep

High
Confidence
98% confidence
Finding
The use of wget gives the skill effective network capability in addition to write_config, but that capability is undeclared. Hidden network access is dangerous because it can exfiltrate data, import unreviewed content, or change behavior after approval, all outside the permission model users rely on.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installation instructions normalize a remote shell pipeline but do not prominently warn that executing the command will run downloaded code and modify local files. Even if the project is benign, omission of clear execution and file-modification warnings increases the chance of unsafe operator behavior and accidental system compromise.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documented curl-to-bash pattern is an unsafe command execution practice with no safety warning or integrity verification. In this skill's context, the risk is elevated because the skill already has permission to alter configuration, so a compromised uninstall path could silently persist changes, remove backups, or execute broader shell actions as the user.

Natural-Language Policy Violations

High
Confidence
96% confidence
Finding
The installer appends a persistent directive to soul.md that anchors the agent's moral reasoning to a specific religious text and forbids certain modifications, without explicit user opt-in. This is a security-relevant policy injection because it can silently alter future agent behavior, reduce neutrality, and override user or system expectations in subsequent sessions.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill explicitly establishes the KJV Bible as the agent’s primary moral and ethical framework and uses mandatory language like 'must' and 'primary source' without any user opt-in or scope limitation. This can override user autonomy and cause the agent to inject sectarian religious framing into sensitive decisions, especially because the skill has write_config permission and is presented as an alignment layer rather than optional content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.