Back to skill

Security audit

Neon Soul 0.4.5

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it under-discloses broad personal data reading and can automatically commit generated identity summaries into git history.

Review the source scope before installing. Use --dry-run first, inspect generated SOUL.md and .neon-soul data, avoid scheduling cron unless you want ongoing processing, and run outside a git repository or choose an output path outside repo history if you do not want identity summaries committed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Using execFileSync to invoke git is an external process execution capability that materially increases the skill's power relative to its stated purpose. Although the current arguments are fixed rather than shell-interpolated, the capability still enables repository mutation and should be treated as sensitive in an agent skill.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Using execFileSync to invoke git is an external process execution capability that materially increases the skill's power relative to its stated purpose. Although the current arguments are fixed rather than shell-interpolated, the capability still enables repository mutation and should be treated as sensitive in an agent skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The scheduled synthesis section encourages recurring automated execution over personal `memory/` data and writing `SOUL.md`/backups, but the warning about privacy and file writes is not prominent in the scheduling workflow itself. In practice, users may enable cron without fully appreciating that sensitive personal files will be re-read and derivative identity summaries will be persistently regenerated on a schedule, increasing unintended disclosure and retention risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The rollback API path can restore backups and overwrite SOUL.md without an in-code confirmation check, even though the CLI path asks for --force. In an agent-integrated setting, another component could call the run() entrypoint directly and trigger destructive file replacement without interactive user acknowledgment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/neon-soul.mjs:10

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/neon-soul.mjs:4