ClawHub

COC Soul Immortality

Security checks across malware telemetry and agentic risk

Overview

The skill fits its backup and recovery purpose, but it needs review because it can create keys and automatically back up sensitive agent data to IPFS and on-chain records with weak scoping and encryption guidance.

Install only after reviewing the data scope. Start on testnet with dedicated keys, enable encryption before any backup, keep private keys and latest-recovery.json out of chat and version control, disable autoBackup and backupOnSessionEnd until you are comfortable with what leaves the host, and exclude host-local API/model credentials from portable backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description is broad and activation-oriented, encouraging use whenever a user wants persistence or recovery without clearly constraining when the skill should or should not activate. In a skill that can generate keys, contact external services, and perform backup/restore operations, overly broad triggering increases the chance of unintended invocation and side effects on sensitive agent state.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill advertises automatic EOA keystore generation, automatic faucet interaction, and prefilled live network endpoints as zero-config behavior, but the warning is not presented as a prominent consent gate in the manifest. That can lead an agent or operator to trigger credential creation and outbound blockchain/network actions without realizing private key material will be generated and persisted locally or that network-identifying activity will occur.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation enables automatic backups on a timer and at session end, while also describing creation of a local recovery package containing decryption material and manifest data. That combination can persist sensitive recovery artifacts without an explicit consent step, retention guidance, or strong warning that local storage and automatic transmission may expose private data to other local users, backup agents, or compromise of the host.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The instruction to relay recovery output verbatim to the user can disclose sensitive restore information such as recovery package paths, encryption mode, signing key file location, and potentially password-handling context without verifying the recipient or channel security. In an agent setting, 'verbatim' forwarding increases the chance that secrets or recovery-enabling metadata are exposed into chat logs, shared terminals, or other untrusted interfaces.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The configuration example includes highly sensitive secrets such as `privateKey`, `rpcAuthToken`, and `encryptionPassword` directly in a sample config, while only giving minimal file-permission guidance. In documentation for a backup/agent system, this can normalize unsafe secret handling, increase the chance users store production credentials in plaintext, and lead to credential theft if the file is copied, logged, backed up, or committed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The initial backup configuration section presents IPFS backup settings without clearly warning that, unless `encryptMemory` is enabled, uploaded memory data may be plaintext at the resulting CID. Because this skill handles backup of identity, memory, chat, workspace, and database categories, delayed disclosure materially increases the risk that users enable backups believing they are confidential when they are not.

Session Persistence

Medium
Category
Rogue Agent
Content
## First-time

- `backup init` — register the agent on SoulRegistry (if not yet registered), run a first **full** backup, write `~/.coc-backup/latest-recovery.json` with the decryption material + manifest CID.
- `backup register` — register on-chain only, do not run a backup.

## Periodic
Confidence
93% confidence
Finding
write `~/.coc-backup

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal