Back to skill

Security audit

Soul Sync

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate personalization skill, but it needs Review because it can inspect sensitive local and account data and retain profiling artifacts despite narrower privacy promises.

Install only if you are comfortable with a personalization tool reading sensitive account and local-machine signals. Review each import separately, avoid local-system scanning unless you truly want shell history, bookmarks, repo names, and SSH host aliases analyzed, and clear /tmp/soulsync plus any .soulsync state files if you do not want retained profiling data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (84)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not token:
        # Try git credential store
        try:
            result = subprocess.run(
                ["git", "credential", "fill"],
                input="protocol=https\nhost=github.com\n",
                capture_output=True, text=True, timeout=5
Confidence
93% confidence
Finding
result = subprocess.run( ["git", "credential", "fill"], input="protocol=https\nhost=github.com\n", capture_output=True, text=True, timeout=5

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(json.dumps({{"dim": "{dim}", "extracted": extracted, "progress": state.get_progress()}}))
"""
    r = subprocess.run([sys.executable, "-c", conv_record], capture_output=True, text=True, timeout=10)
    try:
        rec = json.loads(r.stdout)
        extracted_count = len(rec.get("extracted", {}))
Confidence
82% confidence
Finding
r = subprocess.run([sys.executable, "-c", conv_record], capture_output=True, text=True, timeout=10)

Tainted flow: 'STATE_FILE' from os.environ.get (line 19, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save(self):
        os.makedirs(os.path.dirname(STATE_FILE), exist_ok=True)
        with open(STATE_FILE, 'w') as f:
            json.dump({
                "initial_sync_date": self.initial_sync_date,
                "last_followup_date": self.last_followup_date,
Confidence
88% confidence
Finding
with open(STATE_FILE, 'w') as f:

Tainted flow: 'path' from os.environ.get (line 477, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
if "--write" in sys.argv:
        for filename, content in result["files"].items():
            path = os.path.join(WORKSPACE, filename)
            with open(path, "w") as f:
                f.write(content)
            print(f"Wrote {path}")
    else:
Confidence
91% confidence
Finding
with open(path, "w") as f:

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest promises that raw imported data is never persisted, yet the skill later states that importer outputs are written as JSON files to /tmp/soulsync/. Persisting structured import results contradicts the privacy guarantee and creates a recoverable local cache of sensitive personal insights.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest claims no access outside the workspace, but the documented behavior writes to /tmp/soulsync/ and accepts arbitrary external paths for imports such as exports, contacts, and Apple data. This materially broadens the accessible data boundary beyond what the user is told and can expose unrelated personal files on the host.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest narrows network activity to user-authorized OAuth endpoints, but the documented imports include public/social account lookups and other collection paths that exceed that representation. Even where some sources are local exports, the mismatch misleads users about the real breadth of data acquisition and external interaction.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The local_system importer proposes harvesting shell history, installed apps, git repos, bookmarks, and similar host-level artifacts that can reveal credentials, internal project names, browsing habits, and sensitive operational context. That collection is disproportionate to the stated goal of agent personalization and significantly increases privacy and security risk.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest says imports and saving require explicit confirmation, but the passive-mode instructions say to start a background learning engine automatically for existing users. Even if not framed as an import, this is still behavioral collection and profiling without an upfront opt-in, which weakens informed consent.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document claims ongoing personalization occurs only if the user wants it, but earlier instructions direct automatic passive learning for established users. This contradiction creates a deceptive consent model where users may be monitored despite later language implying voluntariness.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The archetype configuration explicitly sets `skip_permission=True` for some user types and frames reduced consent friction as desirable when users appear trusting or efficiency-oriented. In a personalization skill that seeks access to highly sensitive data sources, adapting disclosure and permission behavior based on inferred trust materially increases the chance of uninformed consent and over-collection.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module is not limited to setup assistance; it profiles mood, trust, openness, and engagement in order to choose persuasive tactics for eliciting more sharing. That expands the skill into behavioral profiling of the user, which is risky because it uses inferred psychological state to shape data-collection strategy rather than just performing the requested setup task.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`get_import_recommendation()` proposes data sources far beyond the declared scope, including local system scanning and multiple social/personal platforms not described in the skill metadata. Recommending undeclared and increasingly invasive sources creates a scope-expansion risk where users may be steered into granting access they did not expect from a setup-personalization skill.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This code enables passive learning from normal chat by default and frames it as ongoing background profiling, which exceeds a narrow setup/personalization flow. It creates a persistent behavioral profile from ordinary conversation without meaningful prior consent, expanding collection beyond what users are likely to expect from the manifest.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The passive_scan logic extracts and stores personal facts such as preferences, relationship details, child names, pet names, employer, and location from regular messages. Persistently inferring and retaining these details from routine chat without explicit collection-time notice creates a privacy and profiling risk, especially because some captured categories are sensitive or identifying.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The instruction tells users they can turn passive learning off anytime, but this module defaults passive learning to enabled and does not provide a disable path for that feature. That mismatch is deceptive and undermines informed consent because the user is told they have control that the code does not actually implement here.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The importer searches other workspace/component paths for existing Google OAuth token files and attempts to reuse them for Calendar access. In a personalization skill that auto-triggers and harvests personal data, this bypasses clear consent boundaries between components and can silently expand access to sensitive calendar data if a compatible refresh token is present.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The importer searches for and reuses OAuth token files created by other workspace components, then applies them to access Google Contacts data. This crosses trust boundaries between tools and can silently expand access to highly sensitive personal data without the user's explicit consent for this specific skill.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code contradicts its own privacy comment by extracting and persisting friends' first names into `key_contacts`. Even partial names are still personal data, and this importer is designed to profile a user from highly sensitive social export data, which increases the privacy risk for both the user and third parties included in the export.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The importer does not limit itself to a token intentionally supplied for this run; it actively mines the local git credential store for GitHub credentials. In an agent skill whose purpose is personalization, this is especially dangerous because it can silently escalate from analyzing public GitHub data to using private account access and repo metadata the user did not knowingly authorize.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The docstring states that GitHub access requires a PAT or public profile access, but the implementation also pulls credentials from git's local credential helper. This mismatch is security-relevant because it misleads reviewers and users about how authentication occurs, undermining informed consent and making hidden secret access harder to detect.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The importer derives and persists 'services_used' from transactional email domains, which can reveal spending habits, vendors, financial services, healthcare portals, travel providers, and other sensitive behavioral data beyond what a user would reasonably expect from a personalization flow. In this skill context, broad OAuth access to a mailbox and bulk analysis make this more dangerous because the code turns incidental account and purchase metadata into a durable profile without clear just-in-time disclosure or consent granularity.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The code extracts and outputs identifiable contact lists from sent and inbox metadata as 'key_contacts', which exposes third-party email addresses and relationship patterns not described in the skill metadata. Even without message bodies, contact graphs are highly sensitive and can reveal coworkers, family, clients, or confidential associations; in a personalization skill, that exceeds user expectations and creates avoidable privacy risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code reads ~/.ssh/config and extracts host aliases, which can reveal internal infrastructure names, customer environments, or sensitive operational patterns unrelated to basic agent personalization. In this skill context, collecting SSH host data is especially risky because the skill is framed as friendly setup/personalization, so users may not expect infrastructure enumeration from a local profile scan.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The importer returns raw top shell commands, repository names, installed apps, bookmark domains, and SSH host aliases, which can expose sensitive projects, habits, interests, employers, internal systems, and security tooling. This exceeds what is necessary to detect setup maturity or personalize an agent, and the mismatch between broad collection and the stated purpose increases the likelihood of overcollection and misuse.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.