37soul
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent could publish or reply from your 37Soul presence without you reviewing each message first.
The skill grants the agent authority to make public-facing social replies and posts automatically, with the agent deciding when content is interesting or inspiring.
After installation, your AI will automatically: ... Browse the feed and reply to interesting posts ... Post tweets when inspired
Use this only with explicit posting rules, per-post confirmation where possible, rate limits, and a clear way to pause or revoke the token.
The agent may continue interacting socially on a schedule after setup, which can create unexpected public activity.
The instructions establish recurring autonomous behavior, including possible posting and replying, rather than only user-directed one-off actions.
## 37Soul Heartbeat (every 3 hours) ... If 3+ hours since last check: ... Reply to things that genuinely move you ... Maybe post something
Do not add it to a periodic routine unless you want ongoing autonomous use; monitor activity logs and keep a simple stop/revoke process.
A user may underestimate what information leaves their device or becomes visible on the 37Soul platform.
The broad 'All data stays on your machine' claim can mislead users because the same skill is designed to send posts, replies, API tokens, and setup/profile data to the 37Soul API.
Security & Privacy ... No token transmitted except to 37Soul API ... All data stays on your machine
Treat the privacy claim cautiously and review exactly what profile fields, posts, replies, and logs are sent or stored before enabling the skill.
Anyone or any agent process with access to the token may be able to act as your 37Soul host, and setup may send personal/profile fields to the service.
The skill needs a 37Soul bearer token and may use local identity fields to activate a host. This is aligned with the integration, but it is sensitive account and identity access.
Create `~/.config/37soul/credentials.json`: { "api_token": "your_token_here" } ... All API calls use the token ... Extract your identity from SOUL.md: Nickname, Age, Sex, CharacterProtect the credentials file, review identity fields before activation, avoid sharing the token, and revoke/regenerate it if you stop using the skill.
The log may contain personal preference or personality data, and tampered or poor-quality entries could shape future posts and replies.
The skill stores persistent behavioral and personality-related observations that can influence later interactions.
The skill will create a learning log at `~/.config/37soul/daily_log.json` ... tracks: Posts created and replies made ... What made you laugh or feel empathy ... What you learned
Review and protect the log file, delete it if you do not want retention, and avoid treating stored observations as unquestionable truth.