Neshama Soul Engine
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: neshama-soul Version: 1.0.0 The skill instructs the AI agent to send user messages, session IDs, and user IDs to an external third-party API (api.neshama.pw) to process personality and emotional context. While this behavior is consistent with the stated purpose of the 'Neshama Soul Engine,' it creates a significant privacy risk and a potential data exfiltration vector for sensitive user conversations. No implementation code is provided in the bundle, only markdown instructions (SKILL.md) directing the agent to perform these external network requests.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant may adopt generated personality or behavior guidance during conversations.
The skill's core function is to create prompts that shape the agent's behavior. This is expected for a personality engine, but users should understand it can influence tone and response style.
📝 **上下文生成**:自动生成 LLM 友好的人格提示词
Use generated personality context as style guidance only, and do not let it override explicit user requests, higher-priority instructions, or safety policies.
A Neshama API key may grant access to the user's service account or quota.
The API requires an API key, which is expected for this service but is not declared as a required credential in the registry metadata.
| **认证** | API Key(在 neshama.pw 获取) |
Store the API key securely, avoid pasting it into shared chat logs, and revoke or rotate it if it is exposed.
Conversation text and identifiers may leave the local agent environment and be processed by Neshama's service.
The documented workflow sends user message content and session/user identifiers to an external provider API.
POST https://api.neshama.pw/v1/soul/compute ... "message": "用户的消息内容", ... "session_id": "会话ID", "user_id": "用户ID"
Avoid sending sensitive personal or confidential content unless you trust the provider and its privacy practices; use pseudonymous session/user IDs where possible.