ClawHub

RMN Soul

Security checks across malware telemetry and agentic risk

Overview

This skill matches its advertised memory-and-blockchain purpose, but it handles private agent memory, wallet signing, IPFS publication, and shell commands in ways that need careful review before use.

Install only if you intentionally want this agent's memory files archived into rmn-soul-data and potentially published through IPFS and on-chain metadata. Review and redact memory, identity, and issue files first, avoid funded private keys until shell execution is fixed, and prefer local-only or manual anchoring unless the permanence and public-retrieval risks are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script writes a manifest containing the full exported memory graph and uploads both the raw memory database and manifest to IPFS or local storage. Given the stated anchoring purpose, only hashes or minimal proofs appear necessary; exposing full memory contents can leak sensitive agent data, internal topology, or user-derived information to external systems and durable storage.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README explicitly says the skill will transform MEMORY.md and log files, upload memory data to IPFS, and perform periodic on-chain updates, but it provides no clear privacy warning, consent flow, or data-minimization guidance. In this skill’s context, agent memory and logs can contain prompts, secrets, user data, or operational history, so silently encouraging archival to decentralized/publicly retrievable systems creates a serious confidentiality risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly states that agent memory will be uploaded to IPFS and anchored on-chain, but it does not provide a prominent user-facing warning about the privacy, consent, and permanence implications of doing so. Because memory files may contain sensitive prompts, credentials, personal data, or internal context, sending them to decentralized and effectively irreversible storage creates a serious data exposure risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to execute setup automatically on first load, including scanning workspace memory files and writing new artifacts into the workspace, without an explicit confirmation step. Automatic activation increases the chance of unintended collection and persistence of sensitive data, especially when users may not realize installation triggers side effects.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script automatically uploads memory data to IPFS without an explicit warning, consent step, or preview of what data will leave the host. Because IPFS publication can be broadly replicated and difficult to retract, accidental transmission of sensitive memory content creates significant confidentiality and privacy risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script signs and sends blockchain transactions using a sponsor private key supplied via CLI, config, or environment without a strong interactive warning or safer key-management flow. This is dangerous because mistakes, compromised configuration, or unintended execution can spend funds, create irreversible on-chain state changes, and expose secrets through process arguments or logs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script writes restored memory and configuration into a fixed workspace path without prompting, backup, or overwrite checks. In an agent environment, this can silently replace existing local state with remote-sourced content, causing data loss, state poisoning, or unintended reconfiguration if the operator runs it against the wrong agent or untrusted data source.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically reads potentially sensitive files such as SOUL.md, USER.md, IDENTITY.md, MEMORY.md, memory/*.md, and .issues/open-* and consolidates their contents into a persistent local database. In an agent-skill context, these files may contain personal data, secrets, or operational context, and the migration occurs without explicit consent, preview, filtering, or warning, increasing the risk of unintended collection and long-term retention of sensitive information.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script creates a persistent data directory and writes memory.json and config.json into the workspace without an explicit warning or confirmation. In a setup script for an agent skill, silent filesystem modification is risky because it can unexpectedly alter a user's project state, retain sensitive migrated content, and persist environment-derived values such as RMN_SPONSOR_KEY into a config file.

Ssd 3

High
Confidence
98% confidence
Finding
The README describes archiving the agent’s memory data to IPFS and binding it to an on-chain identity for later recovery, which semantically promotes externalizing potentially sensitive interaction history. Because IPFS content is broadly replicable and blockchain references are durable, this can expose confidential prompts, user content, credentials, or internal state in a way that is difficult or impossible to retract.

Ssd 3

High
Confidence
99% confidence
Finding
The architecture section states that MEMORY.md, memory files, issue data, and even raw inputs feed into a stored memory artifact that is then linked via IPFS. This is effectively a plain-language instruction to package and publish broad agent data, including the most sensitive categories, creating a direct data leakage path with long-lived external discoverability.

Ssd 3

Medium
Confidence
92% confidence
Finding
The resurrection workflow instructs operators to retrieve complete memory data from chain-linked IPFS storage and ingest it into a new instance, reinforcing reuse of historical data that may include sensitive or unsafe content. While this is framed as disaster recovery, it normalizes persistent external storage and replay of confidential state without discussing sanitization, provenance risk, or consent boundaries.

Ssd 3

High
Confidence
99% confidence
Finding
This skill creates a direct data exfiltration path by collecting agent memory and uploading it to IPFS while also anchoring related identifiers on-chain. In context, the targeted data source is memory and workspace state, which are likely to contain highly sensitive information; decentralized storage makes accidental disclosure especially severe because deletion and revocation are difficult or impossible.

Ssd 3

High
Confidence
98% confidence
Finding
The setup flow instructs the agent to scan broad workspace locations such as MEMORY.md, memory/*.md, and .issues/*, then persist the aggregated results into artifacts that are later used for external upload and on-chain registration. This broad collection scope materially increases the risk of capturing confidential operational data, incident notes, or user content beyond what is necessary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal