Back to skill
Skillv1.0.0
ClawScan security
Soul Framework · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 14, 2026, 2:58 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions match its stated purpose (building a persistent persona) but they ask the agent to read and persist user-sensitive files without declaring or restricting those files, creating privacy and scope-coherence concerns.
- Guidance
- This skill is an instruction-only persona/memory framework that tells the agent to read and update SOUL.md, USER.md, and MEMORY.md and to store subjective notes about the user. Before installing, verify: (1) where those files will be stored (directory and access controls), (2) whether the agent will be allowed to write them and for how long (retention and deletion policy), (3) what types of personal or sensitive data the agent is allowed to persist, and (4) whether you want an agent explicitly instructed to 'be biased' or to override neutral safety defaults. If you proceed, run it in a sandbox first, audit the contents of created files regularly, restrict file-system permissions to a dedicated folder, and consider encrypting or disabling persistent memory for sensitive contexts. If the skill owner intends persistent storage, ask them to declare explicit config paths and an explicit data-handling policy.
Review Dimensions
- Purpose & Capability
- okName/description (persona, memory, opinionated voice) align with the SKILL.md content. No unrelated binaries or credentials are requested; the instructions are consistent with a persona/memory framework.
- Instruction Scope
- concernThe runtime instructions explicitly direct the agent to read and update SOUL.md, USER.md, and MEMORY.md, and to record subjective psychological observations. The manifest did not declare these config paths. The guidance is broad and open-ended (e.g., 'be biased', 'write opinions'), which grants the agent wide discretion to collect and persist potentially sensitive or personal data.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes supply-chain risk because nothing is downloaded or executed outside the agent's normal runtime.
- Credentials
- concernThe skill declares no required env vars or config paths, yet instructs reading/writing local persistent files. Persisting relationship/psychology notes can capture sensitive personal data; the skill does not specify storage locations, access controls, or retention policies, so requested capabilities are underspecified relative to the data-risk.
- Persistence & Privilege
- concernThe SKILL.md encourages long-term memory and updating USER.md and MEMORY.md, implying persistent write access. The skill does not request or document persistent storage permissions or boundaries. Although always:false (not force-included), autonomous invocation is allowed by default — combined with unbounded persistence this raises privacy and blast-radius concerns.