ClawHub

ClawSouls

Security checks across malware telemetry and agentic risk

Overview

ClawSouls appears to be a legitimate persona manager, but it also documents remote memory sync and persistent agent-identity changes that are not scoped clearly enough for automatic use.

Review before installing if your workspace contains sensitive prompts, memory, or client data. Use install/list/restore normally, but only run publish or sync after confirming exactly what files will be uploaded or synchronized, keep CLAWSOULS_TOKEN out of shell history and commits, and prefer trusted or pinned versions of the external clawsouls npm CLI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata frames the capability as limited persona install/switch/list/restore, but the body also includes publishing souls, token-based login, memory sync to GitHub, swarm, and platform detection. This scope mismatch can cause an agent or user to invoke the skill under false assumptions, enabling data-transfer or account-affecting actions that exceed the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The memory sync and swarm features are materially different from persona management because they move agent memory across machines via encrypted Git/GitHub. In this context, hidden or under-justified data synchronization increases the risk of unintended exfiltration, replication of sensitive prompts/memory, and privacy violations if invoked by an agent acting on the user's broad request to manage personas.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Platform detection across multiple agent platforms exceeds the narrow persona-management description and can reveal environment details not necessary for the requested task. While lower impact than sync, unnecessary environment discovery broadens the skill's operational scope and can aid later targeting or misuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README normalizes operations that change active personas, create automatic backups, and publish packages to a remote registry without clearly warning that these actions modify local agent state and may transmit local content or metadata externally. In an agent-driven workflow, a user may invoke these capabilities through natural language without realizing stateful changes or network publication will occur, increasing the risk of unintended configuration changes or data disclosure.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough that ordinary requests like 'change personality' or 'browse personas' may auto-activate a skill that can modify workspace files, authenticate, publish content, or sync memory. Overbroad activation criteria increase the chance of unintended execution of sensitive operations without the user's informed intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Although the file notes backups and restart requirements, it does not prominently warn that activating a soul overwrites key workspace persona files and changes the agent's behavior/identity. In a persona-management skill, that omission is especially important because users may not realize they are altering persistent configuration that affects future sessions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The memory sync section states that encrypted memory can be synced to/from GitHub but does not provide a clear privacy and data-transfer warning. Even with encryption, remote transfer of agent memory can expose sensitive content, metadata, repository destinations, and persistence risks that users would not expect from a persona-management skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal