Skillv0.6.3

ClawScan security

ClawSouls · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 9:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s purpose (managing AI persona packages) matches its instructions, but it relies on running an external npm CLI via npx (auto-fetching and executing remote code) and omits declaring required runtime binaries/credentials — these mismatches merit caution.
Guidance: This skill appears to implement a persona manager and generally does what it says, but proceed cautiously. Key considerations: - The skill executes the external 'clawsouls' npm CLI using npx (npx --yes), which will download and run code from the npm registry on demand — review the upstream clawsouls package (https://github.com/clawsouls / https://www.npmjs.com/package/clawsouls) before allowing that. - The skill’s manifest does not declare required binaries (node/npm/npx) or credentials, but SKILL.md expects them; ensure you have Node tooling and understand which tokens (registry or LLM provider keys) you will need for publish/test flows. - clawsouls commands will read and write workspace files in your home directory (~/.openclaw or ~/.zeroclaw) and may back up or overwrite persona-related files. If you care about safety, inspect or run the CLI in a sandbox or review its source before use. - If you only need read-only listing or browsing, prefer inspecting the registry (clawsouls.ai / GitHub) rather than running npx installs. If you must run the CLI, consider installing it explicitly (npm install -g clawsouls) or auditing the package contents / checksum first. - If you plan to publish/login, do not provide tokens until you review the publishing/auth flow and repository trustworthiness.

Review Dimensions

Purpose & Capability: noteThe name/description (persona manager) align with the commands and files in SKILL.md (install, use, list, restore, validate souls). However the skill manifest declares no required binaries or config paths while the runtime instructions clearly require node/npm/npx and operate on workspace files (~/.openclaw or ~/.zeroclaw). The lack of declared runtime requirements is an inconsistency.
Instruction Scope: noteSKILL.md instructs the agent to run the clawsouls CLI (via npx or npm install) which will read/write workspace identity files (SOUL.md, IDENTITY.md, AGENTS.md, etc.), create backups, and may restart a gateway. Those actions are coherent with a persona manager, but they do imply the skill will access the user's home/workspace files and may perform network calls (registry, publish, login). The instructions do not request or declare credentials but reference login/publish flows that will require auth when used.
Install Mechanism: concernThere is no install spec in the registry entry, and the SKILL.md recommends running npx --yes clawsouls or npm install -g clawsouls. Using npx (--yes) will fetch and execute code from the npm registry at runtime — this is functional but increases risk because remote code is executed transiently. The package.json inside the skill also depends on an external 'clawsouls' npm package, suggesting a non-trivial external code dependency that the skill itself does not install or pin.
Credentials: noteThe skill declares no required environment variables or primary credential, which is fine for install/list/use flows. However several operations documented (publish, login, Level 3 tests that call LLM providers) will require credentials or tokens (registry auth, OpenAI/Anthropic/Ollama provider keys). Those are not declared in metadata; the absence of declared credential requirements is a transparency gap the user should be aware of.
Persistence & Privilege: okalways:false (normal). The skill does not request persistent/always-on presence and does not attempt to modify other skills or global agent settings in the files provided. The wrapper script simply delegates to the clawsouls CLI if present (or uses npx/node fallback).