ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Neon Soul 0.4.5

v1.0.0

Automated soul synthesis for AI agents. Extracts identity from memory files, promotes recurring patterns to axioms (N>=3), generates SOUL.md with full proven...

0· 347·2 current·2 all-time
by@sieyer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match what the skill does: it reads memory files, extracts patterns, and writes SOUL.md. Declared requirements (Node >=22 and a local Ollama service) are consistent with the stated LLM-driven processing engine.
Instruction Scope
SKILL.md explicitly instructs the agent to run the bundled CLI which reads memory/ and .neon-soul/ state files and writes SOUL.md and backups — this is within scope. It also recommends cron runs and provides options like --dry-run and --memory-path. Because the tool processes personal memory files, expect sensitive data to be loaded and summarized; this is expected but high-sensitivity.
Install Mechanism
No install spec (instruction-only for OpenClaw) and the script is bundled — nothing is downloaded from external URLs during install. The lack of an install process reduces install-time risk.
Credentials
The skill requests no environment variables or credentials. It does require access to local files under the workspace (memory/, .neon-soul/) and to a local Ollama endpoint, which are proportionate to its function.
Persistence & Privilege
always:false and user-invocable:true. The skill does not demand permanent inclusion or elevated platform privileges. It asks to read/write files within its own state dirs and to be scheduled optionally via cron — expected for this kind of utility.
Assessment
This skill appears internally coherent, but it executes a bundled JavaScript CLI that will read your agent's memory files and produce SOUL.md — which means it will process potentially highly sensitive personal data. Before installing or scheduling it to run automatically: 1) Inspect scripts/neon-soul.mjs (or run it in a sandboxed/test workspace) to confirm there are no unexpected network calls or telemetry; 2) Run a dry-run first (use --dry-run) to see what would change and what it reads; 3) Back up your memory/ and existing SOUL.md before first run; 4) Ensure Ollama runs locally and is configured securely (the skill expects http://localhost:11434); 5) If you cannot audit the bundled code, prefer running the tool only in an isolated workspace or VM. These precautions reduce risk from hidden behavior in the compiled bundle.

Like a lobster shell, security has layers — review code before you run it.

Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
Config requirements
State dirsmemory/, .neon-soul/
latestvk973kzfzd3gf296csnpbn54ydh824j98

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments