AIEOS (AI Entity Object Specification)
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: aieos Version: 1.0.0 The OpenClaw AgentSkills bundle for AIEOS is classified as benign. The `SKILL.md` provides clear, non-malicious instructions for managing AI persona data. The core script, `scripts/aieos_tool.py`, performs file operations (reading/writing to `OPENCLAW_WORKSPACE/aieos/entity.json`, `IDENTITY.md`, `SOUL.md`) and network operations (`urllib.request.urlopen`) solely for loading schemas from specified URLs or local files. There is no evidence of data exfiltration, malicious execution (e.g., `eval`, `subprocess`), persistence mechanisms, prompt injection attempts against the agent, or obfuscation. All actions are directly aligned with the stated purpose of standardizing and managing AI identity.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A schema you apply may become part of the agent’s long-term persona and could steer future responses.
The skill deliberately stores persona data in persistent agent-accessible files, which is central to its purpose but means an imported schema can affect future identity, style, and behavior.
stores the *entire, detailed AIEOS JSON blueprint* in `$OPENCLAW_WORKSPACE/aieos/entity.json` ... constantly accessible to the agent
Only apply schemas from trusted sources, inspect the dry-run output first, and keep a backup of existing identity files before using `--apply`.
If you apply an untrusted or incorrect schema, it may overwrite or substantially change the agent’s persona files.
The tool can load a user-specified local file or URL and commit changes to the agent’s identity files. This is disclosed and purpose-aligned, but the source should be reviewed carefully.
`python3 scripts/aieos_tool.py apply --source <url_or_path> --apply`
Run without `--apply` first, review proposed changes, and avoid applying schemas from unknown URLs.
You have less external context for who maintains the skill or where its code originates.
The registry metadata does not provide an external source repository or homepage for provenance verification.
Source: unknown; Homepage: none
Review the included files before use and prefer schemas and future updates from verifiable sources.