Security audit

Agent Soul System

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but its optional web editor can expose and overwrite agent personality files through an unauthenticated local server and documents hidden Windows auto-start behavior.

Install only if you deliberately want tools that modify persistent agent SOUL.md files. Prefer the Python CLI scripts over the web editor; if you use the server, run it only when needed, bind it to localhost, restrict CORS, add authentication, and verify that no SOULServer Windows Run entry or hidden launcher remains enabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The server exposes read and write operations for agent SOUL.md files over HTTP with no authentication, authorization, or origin restrictions beyond permissive CORS. Any local or network-accessible client that can reach the port can enumerate agents, read personality files, and overwrite them, enabling unauthorized tampering with agent behavior and configuration.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: In addition to SOUL file management, the server exposes arbitrary files from the canvas directory, expanding the attack surface beyond the declared skill purpose. If sensitive or unintended files are present under that directory, they may be retrievable over HTTP, and the broad static file serving makes the component harder to reason about and secure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The web editor is described as saving directly into agent directories, which means it can alter live agent personality and behavior configuration. Without an explicit warning, confirmation step, backup strategy, or scope restriction, users may unintentionally overwrite configuration or an attacker could abuse the workflow to make silent changes to agent state.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Registering a server to auto-start on Windows login introduces persistence, which is a sensitive system change commonly associated with stealthy software behavior. Even if intended for convenience, failing to clearly warn users and obtain consent makes this dangerous because it leaves a network-capable process running beyond the immediate session.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: The template hardcodes Chinese-facing structural content such as the title and section labels, which can steer downstream agents or users into producing Chinese output regardless of user preference or deployment context. In a personality/template skill used to generate agent behavior files, this can create silent language-policy mismatches, reduce operator visibility, and cause compliance or usability issues when agents are expected to communicate in another language.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The README documents a workflow that can directly overwrite agent files via a REST API and separately describes hidden persistence through a Windows Run key, but it does not clearly foreground the system-modifying and persistence behavior as security-sensitive actions. In a skill intended for agent configuration, this increases the chance that users unknowingly enable background services or make unintended filesystem changes, which could be abused if the local server is exposed or misused.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The POST endpoint directly writes agent SOUL.md content from request data with no confirmation, warning, integrity check, or audit trail. In this context, SOUL files define agent personality and collaboration behavior, so silent modification can materially alter downstream agent actions and may be abused for persistence or prompt-level compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.