ClawHub

Soul Petition Gate

Security checks across malware telemetry and agentic risk

Overview

The skill appears to support a legitimate review workflow for protected identity files, but its backend routes give under-scoped read and rollback authority that users should review before installing.

Install only if you are comfortable with a local backend that can read, store, and roll back sensitive soul/identity files. Before use, require authentication on the petition routes, limit rollback targets to an explicit protected-file allowlist, and avoid exposing the service beyond a trusted local environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Tainted flow: 'backup_path' from os.environ.get (line 231, credential/environment) → shutil.copy2 (file write)

Medium
Category
Data Flow
Content
if target.exists():
        shutil.copy2(target, pre_rollback_backup)

    shutil.copy2(backup_path, target)

    return jsonify({"ok": True, "restored": target_name, "pre_rollback_backup": pre_rollback_backup.name})
Confidence
95% confidence
Finding
shutil.copy2(backup_path, target)

Tainted flow: 'target' from os.environ.get (line 238, credential/environment) → shutil.copy2 (file write)

Medium
Category
Data Flow
Content
ts = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H-%M-%S")
    pre_rollback_backup = BACKUP_DIR / f"{target_name}.pre_rollback_{ts}.bak"
    if target.exists():
        shutil.copy2(target, pre_rollback_backup)

    shutil.copy2(backup_path, target)
Confidence
93% confidence
Finding
shutil.copy2(target, pre_rollback_backup)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes file read/write, hook installation, and backend API mounting, but it does not declare the permissions/capabilities this requires. Undeclared capabilities are dangerous because operators may trust the skill's surface description without realizing it can read/write workspace files and persist state, increasing the chance of overbroad deployment or accidental exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The rollback route derives the restore target from the backup filename rather than from a trusted allowlist or stored metadata. That means backups named like other workspace files can cause overwrite of files beyond SOUL.md and IDENTITY.md, directly violating the skill's promise that the agent cannot self-edit arbitrary protected workspace content.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The GET endpoints expose all petition contents, including before/after text and rationale, with no authentication or authorization checks. Since petitions may contain sensitive identity, policy, or workspace text, this creates an information disclosure path that exceeds the narrow review workflow described by the skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal