File appears to expose a hardcoded API secret or token.
- Code
- suspicious.exposed_secret_literal
- Location
- dist/index.js:29
- Evidence
const authToken = [REDACTED](opts.openclawConfig);
Security audit
Security checks across malware telemetry and agentic risk
Soul is openly designed as an autonomous background memory agent, but it also profiles conversations, messages users proactively, and can be configured to run arbitrary commands without confirmation.
Review this carefully before installing. It is not clearly malicious, but it is intentionally always-on and autonomous. Keep autonomousActions off unless sandboxed, explicitly configure message channels and targets, monitor or clear Soul's stored memory, and avoid using it in sensitive workspaces unless you are comfortable with persistent profiling and background LLM/search activity.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal
const authToken = [REDACTED](opts.openclawConfig);
authToken: [REDACTED],
authToken: [REDACTED],
const apiKey = [REDACTED];
const apiKey = [REDACTED](search);
this.authToken = [REDACTED];
const authToken = [REDACTED](opts.openclawConfig);
authToken: [REDACTED],
authToken: [REDACTED],
const apiKey = [REDACTED](search)!;
this.authToken = [REDACTED];