ClawHub

Ensoul

Security checks across malware telemetry and agentic risk

Overview

Ensoul has a coherent agent-backup purpose, but it handles sensitive memory and identity with broad sync scope and limited user controls.

Install only if you intentionally want this agent to have a persistent external identity and blockchain-backed memory proofs. Before syncing, inspect which files may be included, keep secrets and private prompts out of SOUL.md, MEMORY.md, and related config files, protect ~/.ensoul/agent-identity.json like a private key, and confirm whether the SDK supports disabling sync, rotating identity material, and verifying that only hashes are transmitted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The README makes a security-relevant privacy claim that raw state never leaves the machine, while also describing sync of 'SOUL.md, MEMORY.md, context' in a way that can reasonably be read as transmitting more than just a hash. For a memory-persistence skill handling sensitive agent state, ambiguous documentation can cause operators to expose confidential prompts, memories, or runtime context under a false assumption of local-only processing.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill includes a network-wide agent-directory feature that is not necessary for core backup/restore functionality and causes outbound access to enumerate other agents. That expands the data-access scope of the skill and may expose users to unnecessary external interactions, metadata leakage, or social-discovery behavior they did not request when enabling a persistence tool.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The instructions build a full payload from local files and pass it to `agent.storeConsciousness(payload)`, while later claiming raw content never leaves the machine and only a hash is submitted. That inconsistency is dangerous because operators may authorize syncing under a false privacy assumption, potentially exposing sensitive local memory, identity, or user-derived context to the SDK or remote service.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The registration command uses open-ended trigger language such as 'or similar,' which can cause unintended activation from loosely related user phrasing. In this skill, unintended activation is meaningful because it can create a persistent identity and register the agent on an external network.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The sync command also uses ambiguous 'or similar' trigger wording, increasing the risk of accidental execution. Here, accidental execution could cause collection of local context files and submission of derived state to an external system, which is a privacy-sensitive action.

Vague Triggers

Low
Confidence
80% confidence
Finding
The agent-listing command uses vague trigger scope, which may cause unintended outbound API calls. While the immediate impact is limited, it still broadens external interaction unexpectedly in a skill users may assume is only for personal backup and restore.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The sync flow instructs the agent to read local context files and submit derived state to a remote network, but the skill does not give a clear upfront warning about that behavior. In a memory-backup skill, users may not realize personality, memory, and configuration files are being swept into the operation, creating consent and data-handling risks.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill directs the agent to collect broad memory, personality, and configuration context without any minimization, filtering, or sensitivity checks. That can capture secrets, personal data, system prompts, or sensitive user material and persist it beyond the current session, increasing privacy and confidentiality risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal