Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Soul Petition Gate
v1.0.0Gives your AI agent a formal channel to propose changes to its own soul files (SOUL.md, IDENTITY.md, or any protected workspace file) — without ever letting...
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (agent petitions to change soul files) align with the code and instructions: a bootstrap hook to advertise the channel, a petitions JSON store, and a Flask blueprint that records, approves, rejects, and rolls back petitions for protected files. No unrelated binaries or credentials are requested.
Instruction Scope
SKILL.md instructs you to mount the Flask blueprint and create the petition store, and the code will modify SOUL.md/IDENTITY.md on approval. However, the blueprint exposes POST endpoints that perform approvals/rollbacks without any authentication or authorization checks and SKILL.md does not instruct how to lock them down (bind to localhost, require auth, or place behind a protected admin interface). This is a significant scope gap: the implementation grants the ability to modify protected files but provides no built-in control to ensure only an authorized human can call those routes.
Install Mechanism
There is no install spec (instruction-only with included code files). Nothing is downloaded from untrusted URLs and no installers run automatically. The only filesystem writes occur at runtime if you run the Flask blueprint or enable the hook.
Credentials
The skill declares no required credentials (which is appropriate), and configurable env variables exist for file paths. However, no environment or credential is requested for protecting the API endpoints (no API key, admin token, or auth hints). Also HOOK.md indicates 'node' in its require list while the registry metadata reported no required binaries — a minor inconsistency in declared requirements.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges; it writes backups and modifies protected files when approve is called, which is the intended behavior. The risk here arises from the unsecured endpoints rather than privileged installation flags.
What to consider before installing
This skill implements what it claims, but do not deploy it as-is on a public or untrusted server. Before installing or running: (1) Ensure the Flask blueprint is only reachable by authorized humans — bind it to localhost or an internal network interface, or put it behind an authenticated admin UI or reverse proxy (OAuth, basic auth over TLS, mTLS, or an API key). (2) Add authentication/authorization checks to the approve/reject/rollback routes (require a reviewer identity, validate tokens, log remote IPs). (3) Consider adding CSRF protections and rate-limiting. (4) Review and test backups and rollback behavior in a safe sandbox to ensure edits are atomic and recoverable. (5) Note the small metadata mismatch: HOOK.md declares node in requirements but the registry metadata lists no required binaries — confirm your environment can run the hook if you enable it. If you cannot secure the endpoints or do not trust the hosting environment, do not run the blueprint; instead run an offline/manual review process where approvals are executed locally by a human operator.Like a lobster shell, security has layers — review code before you run it.
latestvk97anfg8jg46y5zwyfkpgvdhxd83chvm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.