Agent Soul System
WarnAudited by ClawScan on May 13, 2026.
Overview
The skill’s purpose is coherent, but its optional web editor can run as a persistent local server that exposes unauthenticated APIs for rewriting agent personality files.
Review carefully before installing or running the web editor. If you use it, run the server only when needed, disable any auto-start entry, keep backups of ~/.openclaw/agents, and do not expose the server until it has localhost binding, authentication, restricted CORS, and change review.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the server is running, a webpage or network client may be able to overwrite agent personality/instruction files.
The web server allows cross-origin POST requests and writes supplied content directly to agent SOUL.md files, with no authentication, approval check, origin restriction, or localhost-only bind shown.
res.setHeader('Access-Control-Allow-Origin', '*'); ... if (pathname.startsWith('/api/agents/') && req.method === 'POST') { ... fs.writeFileSync(soulPath, data.content, 'utf-8'); } ... server.listen(PORT, () => {Bind the server to 127.0.0.1, require authentication or a CSRF token, restrict CORS to the intended editor, validate agent names, and require explicit user confirmation or backups before saving.
Persistent agent behavior could be changed without the user noticing, causing later agents to follow poisoned or unwanted instructions.
The API writes persistent SOUL.md files under the agents directory; these files are intended to define agent personality, principles, and collaboration behavior, so untrusted edits can persist into future tasks.
const AGENTS_DIR = 'C:\\Users\\Administrator\\.openclaw\\agents'; ... const soulPath = path.join(AGENTS_DIR, name, 'SOUL.md'); ... fs.writeFileSync(soulPath, data.content, 'utf-8');
Treat SOUL.md changes like changes to agent policy: keep versioned backups, show diffs, require user approval, and prevent unauthenticated remote or cross-origin writes.
A file-editing server may remain active after login and expose agent files even when the user is not intentionally editing them.
The documentation describes background persistence and hidden execution for the editor server, which can continue operating beyond the immediate editing task.
The server is configured to start automatically on Windows login via Registry Run key. ... Launcher: `soul-server-launcher.vbs` (runs hidden, no console window)
Do not enable auto-start by default; make the server session-scoped, visible, and easy to stop, and document exactly how persistence is installed and removed.
Users cannot verify the full code path for the documented hidden launcher and editor workflow from the supplied artifacts.
The documentation references launcher/editor files, including a hidden auto-start VBS launcher, that are not included in the provided file manifest, leaving important runtime behavior unreviewed.
`soul-server.bat` | Windows launcher script ... `soul-server-launcher.vbs` | Windows launcher (hidden, for auto-start) ... `soul-editor.html` | Visual web editor
Publish all referenced files, remove stale auto-start claims if they are not part of the package, and declare required binaries and runtime capabilities in metadata.