Soul Pack
v0.1.0Export, import, and list SOUL packages for OpenClaw agents to manage reusable persona bundles and agent workspaces efficiently.
⭐ 0· 693·0 current·0 all-time
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill name/description describe exporting, importing, and listing SOUL packages and the included scripts implement exactly that. However the registry metadata claims no required binaries while the scripts and README require python3 and the openclaw CLI; that mismatch should be fixed (the binaries are reasonable for the stated purpose).
Instruction Scope
SKILL.md gives explicit shell invocation examples and the bundled scripts operate only on local filesystem artifacts (SOUL.md, preview.md, manifest.json) and call the local openclaw CLI. The instructions do not attempt to read unrelated files or environment variables, nor do they transmit extracted package contents to unexpected external endpoints. Examples use user-specific absolute paths but that is only illustrative.
Install Mechanism
This is an instruction-only skill with bundled scripts and no install spec or remote downloads. Nothing in the manifest writes code to disk from an external URL; risk from install mechanism is low.
Credentials
The skill declares no required environment variables or credentials, which aligns with local-only operation. Note: the scripts invoke the openclaw CLI which may itself use stored credentials/config in the user's environment to register agents or contact a remote service — this is expected for adding agents but is not declared in the metadata. No environment variables are read by the scripts directly.
Persistence & Privilege
The skill does not request permanent inclusion (always:false). The only persistent effect is that import-soul.sh may copy files into a workspace and call 'openclaw agents add' to register an agent — expected behavior for importing a package. The skill does not modify other skills or system-wide agent settings beyond creating/adding its own agent entry via the CLI.
Assessment
The skill appears to do what it says. Before installing/using: 1) Confirm you have python3 and the openclaw CLI installed (the metadata currently doesn't list these but the scripts call them). 2) Review any soul package contents before importing (do not include API keys, tokens, or arbitrary executables inside a package). 3) Importing copies SOUL.md/preview/manifest into the target workspace and, unless blocked with --force, will refuse to overwrite an existing SOUL.md — use caution with --force. 4) 'openclaw agents add' may contact a remote service and use your existing OpenClaw credentials/config; ensure you trust that service and run imports in a test workspace first. If you want stronger assurance, ask the author to update the skill metadata to declare required binaries and to clarify network behavior of the openclaw CLI.Like a lobster shell, security has layers — review code before you run it.
latest
Soul Pack
Use bundled scripts for deterministic behavior.
Export soul package
bash /Users/feifei/projects/soul-pack-skill/scripts/export-soul.sh \
--workspace /Users/feifei/.openclaw/workspace \
--out /Users/feifei/projects/soul-packages \
--name edith-soul
Import soul package + create agent
bash /Users/feifei/projects/soul-pack-skill/scripts/import-soul.sh \
--package /Users/feifei/projects/soul-packages/edith-soul.tar.gz \
--agent my-soul \
--workspace /Users/feifei/projects/agents/my-soul
List local soul packages
bash /Users/feifei/projects/soul-pack-skill/scripts/list-souls.sh \
--dir /Users/feifei/projects/soul-packages
Notes
manifest.jsonis validated againstschema/manifest.schema.v0.1.json.- Import does not overwrite existing SOUL.md unless
--forceis provided. - Agent registration uses
openclaw agents add(or reuses existing agent id).
Comments
Loading comments...