ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Soul Sync

v0.8.1

Personalize your OpenClaw agent quickly and naturally. Detects your current setup level and adapts — full soulsyncing for new users, targeted enhancement for...

0· 58·0 current·0 all-time
by@ocbenji
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description match the code's goal (personalize the agent) and many importers are expected for that purpose. However, the SKILL.md promises access confined to the OpenClaw workspace while importer modules search common user locations (Downloads, Desktop, ~/Library, shell history, git repos, etc.). The code also looks up existing OAuth/token files in the workspace and system git credentials — behavior that is not explicitly justified in SKILL.md and expands scope beyond the claimed boundary.
!
Instruction Scope
The runtime instructions tell the agent to run local Python scripts (detector.py, conversation.py, adaptive.py, and many importers). Those scripts will: scan workspace files, search the user's Downloads/Desktop and macOS library paths, write JSON outputs under /tmp/soulsync, and read existing tokens. SKILL.md asserts 'no access to files outside the OpenClaw workspace' and 'all imports are opt-in', but the code will locate and use existing tokens and local exports automatically if present — a mismatch that could cause unintentional access without a fresh explicit prompt.
Install Mechanism
No external install spec or remote download — the skill is instruction+local code only, which reduces supply‑chain risk. However, the included scripts do write state to /tmp and to files in the workspace (.soulsync-state.json, import JSON under /tmp). Running the provided scripts executes arbitrary Python code from the skill bundle on the user's machine, so inspect the code before running in a sensitive environment.
!
Credentials
The registry metadata lists no required environment variables or credentials, but the code expects or will reuse existing credentials/tokens (Google token JSON paths, git credential store, optional GITHUB_TOKEN, SPOTIFY_CLIENT_ID/SECRET per README). Reusing pre-existing tokens found on disk (without requiring a fresh explicit OAuth flow) contradicts the SKILL.md's 'explicit user confirmation' claim and increases the risk of unintended access to email/calendar/github data.
!
Persistence & Privilege
The skill persists state: adaptive engine saves adaptive_state.json to /tmp/soulsync and followup saves .soulsync-state.json into the workspace. It also enables ongoing passive learning by default (passive_learning = True). While persistence and passive learning are plausible for a personalization tool, combined with the ability to read broad local data and reuse existing tokens, this grants the skill substantial long-term access to user data unless the user explicitly audits or disables it.
What to consider before installing
This skill is not outright malicious, but it contains behaviors that contradict the SKILL.md privacy promises — so proceed cautiously. Before installing or running it: 1) Inspect the importers you care about (local_system, gmail/calendar, github, apple, etc.) to confirm what paths they read and whether they reuse existing tokens. 2) If you want to test, run the scripts in a sandboxed environment or on a throwaway account/workspace that does not contain real tokens or sensitive files. 3) Verify whether the skill will prompt for OAuth browser consent every time you connect an account; if it silently uses token files found in your workspace or git credential store, that could access data without a fresh prompt. 4) If you plan to use it, consider removing or moving any existing credential files from the workspace/home (gmail_token.json, token.json, GITHUB_TOKEN, SPOTIFY creds) until you explicitly choose to authorize. 5) Ask the author to reconcile the SKILL.md claims (no access outside workspace, opt-in-only imports) with the code paths that read Downloads/Desktop/~/Library and write to /tmp, and request an explicit mode that refuses to touch any file outside a single designated workspace directory. If you cannot get satisfactory answers, treat this skill as higher risk and only run it in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk974xfqnkf5djmrk08wq6q7n1983t8z9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments