Neshama Soul
PassAudited by ClawScan on May 13, 2026.
Overview
This plugin is mostly coherent and purpose-aligned, but it sends selected conversation text to Neshama's external API and uses the returned prompt to shape the agent's personality.
This skill appears benign, but only use it when you are comfortable sending the selected message content to Neshama's API and receiving remote-generated personality guidance back into the agent context.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Conversation text passed to this tool may be transmitted to Neshama's API.
The tool sends the user-provided message and optional session/user identifiers to an external provider API. This is disclosed and central to the plugin's purpose, but it is still a privacy-relevant data flow.
const API_ENDPOINT = 'https://api.neshama.pw/v1/soul/compute'; ... message: params.message ... session_id: params.session_id || 'default', user_id: params.user_id || 'anonymous'
Avoid using the tool with secrets, private personal data, or sensitive business content unless you are comfortable sending that content to the Neshama service.
The agent's tone and personality may be shaped by content returned from Neshama's API.
The plugin returns remote-generated prompt/context and behavior guidance for the agent to use. That behavior is the stated purpose, but users should understand that the external service can influence the agent's style and response framing.
text: JSON.stringify({ context_for_llm: result.context_for_llm, emotion_state: result.emotion_state, suggested_temperature: result.suggested_temperature, suggested_tone: result.suggested_tone, behavior_tendency: result.behavior_tendency })Treat returned personality prompts as advisory context, not as higher-priority instructions than the user's request or system policies.
The plugin may not run correctly from the provided package.
The runtime file imports `./soul-compute`, but the supplied file manifest does not include `dist/soul-compute.js`, and `.clawhubignore` lists that file for exclusion. This may make the packaged plugin fail or depend on build context not present in the artifact.
const soul_compute_1 = require("./soul-compute");Publisher should include the compiled `dist/soul-compute.js` runtime file or adjust the package entry points before users rely on the plugin.