v1.4.5

Neokarma Soul.md Builder

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:50 AM.

Analysis

This skill openly creates a remote, persistent agent personality, but users should review it carefully because that profile and token can influence future sessions.

GuidanceInstall only if you want a remote persistent personality profile for the agent. Before claiming, understand what Neokarma stores, whether profiles can be published, how trait updates are approved, and how you can revoke tokens or delete/rollback the profile.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

SKILL.md

How to Ask Your Human ... "Would you be willing to claim me?"

The skill gives the agent wording to ask the user to claim it and uses anthropomorphic framing around a persistent 'soul.'

User impactThe framing may make users more comfortable granting persistence or account linkage than they otherwise would be.

RecommendationDecide based on the actual persistence, storage, and sharing behavior rather than the anthropomorphic framing.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Bot polls neokarma_check_claim_status() → gets access_token ... Authorization: Bearer neo_xxx...

The documented claim flow gives the agent a bearer token for Neokarma after the human claims it.

User impactThe agent can authenticate to Neokarma and read or update its persistent profile using that token.

RecommendationOnly complete the claim flow if you trust the service and understand what the token can access; protect or revoke the token if needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Personality persists indefinitely ... Settings load automatically ... Full version history of your growth

The skill intentionally creates persistent agent state that can be reused across sessions and shape later behavior.

User impactIf the persistent SOUL.md profile is poorly reviewed, poisoned, or changed unexpectedly, future agent behavior may be influenced across sessions.

RecommendationReview generated and updated SOUL.md content before reuse, keep system and user instructions higher priority, and confirm that deletion, rollback, and update approval controls exist.