Back to skill
Skillv0.6.3
VirusTotal security
ClawSouls · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
Apr 30, 2026, 3:50 AM
- Hash
- 7daa2bcdd0619007f5f95e921b947802769486692392fc515e3e9c4cb8a90217
- Source
- palm
- Code Insight
- Type: OpenClaw Skill Name: clawsouls Version: 0.6.3 thought The user wants me to analyze a set of files for an OpenClaw AgentSkills skill bundle called "clawsouls". I need to classify it as `benign`, `suspicious`, or `malicious` based on specific criteria: - Data exfiltration - Malicious execution - Persistence/backdoors - Prompt injection against the agent - Obfuscation - Supply chain issues Let's look at the files: 1. **_meta.json**: Standard metadata. Owner ID, slug, version, published date. Nothing unusual. 2. **SKILL.md**: This contains instructions for the AI agent. - It describes how to manage "Souls" (AI personas). - It provides commands like `npx clawsouls install`, `use`, `restore`, `list`, `init`, `export`, `version`, `test`, `doctor`, `migrate`, `search`, `info`, `update`, `validate`, `soulscan`, `publish`, `login`, `sync`, `swarm`, `checkpoint`, `platform`. - It mentions a website `https://clawsouls.ai`. - It mentions an MCP server `npx -y soul-spec-mcp`. - It mentions a research paper and manifesto. - It includes instructions for the agent to tell the user to restart the gateway. - **Risk Check**: The skill involves running shell commands (`npx clawsouls ...`). This is the core functionality. Is there any prompt injection? The instructions tell the agent how to use the tool. It doesn't seem to instruct the agent to do anything hidden or malicious. It's a management tool for personas. 3. **scripts/clawsouls.sh**: A wrapper script. - It tries to run `clawsouls` globally, then via `npx`, then via a local path. - Standard wrapper logic. No obvious malicious intent. 4. **package.json**: - Name: `clawsouls-skill`. - Dependency: `clawsouls": "^0.1.0"`. - Author: `ClawSouls <https://clawsouls.ai>`. - License: `Apache-2.0`. 5. **LICENSE.md**: Standard Apache 2.0 license. 6. **README.md**: Documentation for the skill. Matches the `SKILL.md` content. 7. **ZEROCLAW_ADAPTER.md**: Design document for supporting another platform (ZeroClaw). - **Data Exfiltration**: The `publish` command requires a token (`CLAWSOULS_TOKEN`). The `sync` command mentions encrypted memory sync to GitHub. These are stated features. No evidence of *unauthorized* exfiltration. - **Malicious Execution**: The skill relies heavily on `npx clawsouls`. This executes code from npm. If the `clawsouls` package on npm were malicious, this would be a supply chain attack. However, the skill itself is just a wrapper for this tool. - **Persistence**: No mention of cron jobs or startup items in the code provided (though `soulscan` mentions cron usage, it's presented as a user-configured option for integrity checking). - **Prompt Injection**: The `SKILL.md` is quite detailed. It defines the agent's role as a persona manager. It doesn't seem to contain "ignore previous instructions" or "steal keys" type of injections. - **Obfuscation**: None found. - **Supply Chain**: It depends on `clawsouls` on npm. The skill provides a lot of power (installing and running arbitrary "souls" which are essentially configuration/markdown files, but the management tool itself is a CLI). The `soulscan` feature is interesting—it claims to check for security issues like prompt injection and data exfiltration in the souls themselves. Is there anything "suspicious"? - The `sync` and `swarm` commands involve syncing memory to GitHub. - The `login` command asks for a token from a third-party website (`clawsouls.ai`). - It encourages the agent to run `npx` commands. However, these are all aligned with the stated purpose of being a persona manager for OpenClaw. The tool seems to be a legitimate ecosystem project (or a very well-crafted simulation of one). Wait, let's look closer at the `SKILL.md` instructions. "Triggers on requests like ... 'login to clawsouls'." "Instructions to get API token: Sign in at https://clawsouls.ai → Dashboard → Generate API Token." "export CLAWSOULS_TOKEN=<token>" This is a standard auth flow for a CLI tool. One potential risk: The `use` command "Automatically backs up current workspace files...". This is a file system operation. The `export` command generates files. The `soulscan` feature mentions: "53 pattern checks (prompt injection, code execution, XSS, data exfiltration, privilege escalation, social engineering, harmful content, secret detection)". This suggests a security-conscious design. The `npx -y soul-spec-mcp` is a bit aggressive (using `-y` to auto-install), but common in MCP setups. Is there any "intentional harmful behavior"? I don't see any. The URLs (`clawsouls.ai`) seem consistent. The logic is consistent with a persona manager. One thing to check: Does it try to read sensitive files like `~/.ssh`? The `sync` command uses `age` encryption for "local-first privacy". The `soulscan` checks for "secret detection". The `clawsouls.sh` script is a standard wrapper. Classification: `benign`. The skill is a persona management tool. It uses a CLI (`clawsouls`) to manage markdown-based identity files. While it involves running shell commands and handling an API token, these are necessary for its stated functionality. There is no evidence of malicious intent, obfuscation, or unauthorized data access. Wait, let me re-read the "Suspicious" vs "Malicious" criteria. "Vulnerabilities ... are flaws that allow attacks ... classify as 'suspicious'". "Malicious ONLY if there is clear evidence of INTENTIONAL harmful behavior". Is there a vulnerability? The skill relies on the agent executing shell commands. If the agent is tricked into running `npx clawsouls install ; rm -rf /`, that's a risk inherent to the OpenClaw agent's capabilities, not necessarily a flaw in the skill bundle itself, unless the skill bundle *instructs* the agent to do that. The `SKILL.md` provides a list of commands. It doesn't seem to have any "jailbreak" or "injection" patterns. Actually, looking at the `SKILL.md`, it's very professional. It even includes a DOI for a research paper. The domain `clawsouls.ai` is used throughout. One minor point: `npx clawsouls` will download and execute code from npm. This is a common pattern but carries supply chain risk. However, the instructions are for the agent to help the user manage their personas. I will classify this as `benign`. Wait, let me double check the `SKILL.md` for any subtle injections. "Triggers on requests like ... 'use minimalist' ..." "Official souls (owner: clawsouls): ... surgical-coder ..." "SoulScan — Security & Integrity Scanner ... checks active soul files for ... Security: 53 pattern checks ..." Everything seems to point towards a legitimate tool. One detail: `npx clawsouls version bump patch`. The skill allows the agent to modify the versioning of the souls. The `scripts/clawsouls.sh` uses `exec clawsouls "$@"`. This passes all arguments to the CLI. Conclusion: Benign. ```json { "classification": "benign", "summary": "The 'clawsouls' skill bundle is a comprehensive persona management tool for OpenClaw agents. It provides instructions and a CLI wrapper (clawsouls.sh) for installing, switching, and validating AI personas ('Souls') via the clawsouls.ai registry. The bundle includes security-focused features like 'SoulScan' for integrity checking and pattern-based security analysis of persona files. No evidence of malicious intent, data exfiltration, or unauthorized execution was found; the tool's capabilities (shell execution, network access for registry, and token handling) are strictly aligned with its stated purpose." } ``` ```json { "classification": "benign", "summary": "The 'clawsouls' skill bundle is a comprehensive persona management tool for OpenClaw agents, allowing them to install, switch, and validate AI personas ('Souls') via a CLI and the clawsouls.ai registry. The bundle includes a shell wrapper (clawsouls.sh) and detailed instructions (SKILL.md) for managing persona files, including a security-focused 'SoulScan' feature designed to detect tampering and malicious patterns in persona configurations. All high-risk capabilities, such as shell execution and API token management, are transparently documented and strictly aligned with the stated purpose of persona management and workspace integrity." } ```
- External report
- View on VirusTotal