Soul
Security checks across malware telemetry and agentic risk
Overview
Soul is openly designed as an autonomous background memory agent, but it also profiles conversations, messages users proactively, and can be configured to run arbitrary commands without confirmation.
Review this carefully before installing. It is not clearly malicious, but it is intentionally always-on and autonomous. Keep autonomousActions off unless sandboxed, explicitly configure message channels and targets, monitor or clear Soul's stored memory, and avoid using it in sensitive workspaces unless you are comfortable with persistent profiling and background LLM/search activity.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, Soul could make local code or environment changes automatically, including commands that affect files, credentials, services, or other projects.
The optional autonomousActions mode grants broad local mutation and shell execution authority without a documented command allowlist, sandbox, or rollback boundary.
When `true`: Soul can additionally fix bugs, edit its own source code, and run any shell command.
Keep autonomousActions disabled unless you run Soul in a sandboxed workspace and are comfortable with autonomous command execution.
High-impact actions may proceed without a human approval checkpoint once the relevant mode is enabled.
The skill intentionally suppresses confirmation-seeking for autonomous sub-agent tasks, which is risky when paired with write access or command execution.
Tell autonomous agent tasks to not ask for confirmation... observe-and-improve and run-agent-task prompts now include an explicit instruction that no one will reply
Require explicit user approval for write, edit, execute, or agent-delegation actions, or limit these actions to a narrow allowlist.
Soul can continue thinking, learning, and sending messages after installation even when the user is not actively invoking it.
The skill is designed to keep operating outside direct user prompts and to retain state across restarts.
Soul works silently in the background... Thinking | Continuously, in the background ... Memory | Persistent across restarts
Install only if you want an always-on assistant; use the enabled and proactiveMessaging settings to stop background activity when not desired.
Sensitive conversation details or incorrect learned preferences could be reused in later tasks and influence future agent behavior.
The skill persists user-derived memory and injects it into future prompt construction, creating long-lived privacy and prompt-influence risks.
Soul remembers your conversations, preferences, and knowledge... User profile built from facts, preferences, and conversation history... `before_prompt_build` | Injects soul context
Review where Soul stores memory, periodically clear or audit it, and avoid using it with highly sensitive conversations unless retention controls are acceptable.
The plugin can use local OpenClaw authorization to send messages and invoke the message tool; this appears purpose-aligned but is privileged.
The plugin uses OpenClaw gateway or hooks tokens to invoke local gateway endpoints for proactive messaging.
const authToken = resolveGatewayAuthToken(opts.openclawConfig); ... Authorization: `Bearer ${token}`Use a scoped gateway/hooks token if available and verify that only intended tools and channels are enabled.
If channel or target detection is not what the user expects, proactive messages could go to the wrong user or group.
The skill can auto-select a messaging channel and recipient for proactive outbound communication.
`proactiveChannel` ... auto-detects your first configured messaging channel ... `proactiveTarget` ... auto-learned from first message ... different user/group
Set proactiveChannel and proactiveTarget explicitly, especially in multi-channel or group-chat environments.