Back to skill

Security audit

Neshama Soul Openclaw

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a personality and memory layer, but it needs review because it can persist user preferences automatically and sends message context to an external API while also making conflicting privacy claims.

Install only if you want an always-on personalization layer. Before using it, review or disable API-backed features for sensitive work, avoid putting secrets or proprietary code in prompts that may be sent to the provider, and require confirmation before the agent writes to USER.md or SOUL.md.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The README exposes a reusable API key and encourages use of external services that are not clearly necessary for a personality-injection skill. Even if labeled as a public test key, embedding credentials in documentation can enable abuse, make users unknowingly depend on a third-party backend, and create an undisclosed data-flow path for prompts, preferences, or emotional-memory content.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The heartbeat design explicitly includes API synchronization and connectivity checks that go beyond the stated purpose of providing personality and emotional behavior. This expands the skill's operational scope into data transmission and remote state management without clear user consent, creating unnecessary privacy and integrity risk if configuration or profile data is sent externally.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file describes autonomous user-state monitoring and automatic triggering after each interaction, which materially broadens the skill from personality support into ongoing behavioral surveillance and state management. In an agent setting, background monitoring without explicit approval can lead to covert collection or modification of user-related data.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The documentation adds technical decision tracking and user preference maintenance capabilities that are not justified by the skill's advertised personality/emotion function. This function creep increases the amount of sensitive contextual data the skill may store or infer, which raises privacy and misuse risk.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document claims data is 'not uploaded to third-party servers' while earlier sections direct the agent to send user messages and context to an external API endpoint. This is a materially misleading privacy statement that can cause users and integrators to disclose data under false assumptions, increasing privacy, compliance, and trust risk.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill says it does not collect user code or project files, but the API accepts a free-form 'message' field that may contain exactly that information. Without content filtering or explicit restrictions, the documentation understates the realistic data exposure to the external service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation says initialization runs automatically and that personality context is injected into every new session, but it does not clearly warn users that preferences and behavioral state may persist across sessions. In a skill designed to remember user preferences and emotional context, silent persistence can affect privacy, consent, and downstream agent behavior in ways the user may not expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states it will remember user preferences and technical decisions across sessions, but it does not disclose retention scope, consent, deletion, or privacy boundaries. In an agent skill, silent persistence of user-specific data can lead to collection of sensitive workflow details or personal preferences without informed user awareness.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs the agent to generate USER.md and optionally delete BOOTSTRAP.md during first run, but it provides no requirement for explicit user consent, preview, backup, or warning about configuration/data impact. In an agent skill that persists personality and preference state across sessions, silent creation, modification, or deletion of local files can alter user environment and destroy setup information unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The trigger keywords map directly to actions that modify USER.md or SOUL.md and execute maintenance flows, but the document does not require confirmation, authorization checks, or disclosure of consequences. This creates a risky prompt-to-state-change pathway where casual or ambiguous input could cause persistent configuration changes to core behavior files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The bootstrap flow explicitly instructs the agent to ask for personal preference data and automatically generate a persistent `soul/USER.md` file, but it provides no notice about storage, retention, access, or deletion controls. This creates a privacy risk because users may disclose identifiable or sensitive work-context information without informed consent, and that data may persist longer than expected.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises persistent memory of user preferences and emotional/contextual understanding, but it does not disclose retention duration, reviewability, or any mechanism for opting out. In context, this makes the behavior more dangerous because the feature is framed as a core always-on personalization layer, increasing the likelihood of silent long-term accumulation of user data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes automatic updates to USER.md when new preferences are detected, but provides no warning that user data will be modified. Silent writes to profile data are dangerous because they can persist inaccurate inferences, overwrite intentional settings, or create a hidden memory store the user did not knowingly authorize.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented API update behavior suggests configuration synchronization may transmit data externally, but there is no user-facing disclosure or consent step. Undisclosed transmission of configuration or profile-related data creates privacy risk and may expose sensitive personalization state to third parties or remote services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API request format includes message text, session_id, and user_id for an external service, but the document does not clearly present this as a privacy-relevant external transmission requiring user awareness. In an agent skill, hidden or underexplained outbound sharing is risky because users may assume processing is local.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Publishing and recommending fallback use of a shared public API key encourages sending user data under a credential not controlled by the deployer. This weakens accountability, complicates revocation and auditing, and increases the chance that sensitive traffic is sent through an insecure or rate-limited shared channel.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The statement that this is a configuration the agent 'must follow' on every response creates a persistent instruction layer that can override session-level user intent without fresh consent. In a personality/persistent-memory skill, that increases the chance of instruction persistence, unwanted language/style coercion, and preference poisoning if the file is modified or initialized incorrectly.

Ssd 3

Medium
Confidence
96% confidence
Finding
The description promotes memory continuity for user preferences and coding decisions, creating a data retention surface in natural-language files without any stated minimization rules. This is dangerous because persistent conversational memory can accumulate sensitive operational details, coding habits, or project context that users may not expect to be stored long-term.

Ssd 3

Medium
Confidence
97% confidence
Finding
A dedicated permanent USER.md file strongly implies ongoing retention of user-specific data, yet the file description provides no boundaries on what may be stored or for how long. In practice, such free-form memory files can become catch-alls for sensitive preferences, internal project details, or personal information, increasing privacy and misuse risk.

Ssd 3

Medium
Confidence
95% confidence
Finding
The quick-start section says the agent will remember coding preferences and technical decisions across conversations, normalizing cross-session persistence without warning or consent. This creates risk because technical decisions may reveal architecture, security posture, tooling, or proprietary development practices that should not be silently retained.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.