Soul Undead

Security checks across malware telemetry and agentic risk

Overview

This is a coherent GitHub backup and restore skill, but it can upload and overwrite sensitive OpenClaw identity and memory files with limited runtime confirmation.

Install only if you intentionally want these exact OpenClaw core files backed up to GitHub and restored from GitHub. Before running it, verify the active gh account, confirm the destination repo is the intended private soul-undead repo, review the files for secrets, and keep or delete local-backups snapshots according to their sensitivity.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill clearly instructs file reads and writes, local backup creation, state-file updates, and overwrite-based restore behavior, yet no explicit permissions are declared. That mismatch weakens reviewability and consent boundaries because consumers may not realize the skill can modify workspace files and persist state before execution.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The documentation says the skill only manages a fixed core file set, but later states it also creates or maintains README.md and restore.sh in the repository. This scope inconsistency is dangerous because users may approve the skill under a narrower trust assumption than the actual write behavior.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The skill presents contradictory statements about what files it manages, creating ambiguity about repository-side modifications. Ambiguous scope is a security issue because hidden or unexpected file creation can bypass user expectations and complicate auditing of what data is being written remotely.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README documents a restore flow that overwrites local workspace files and only mentions a backup snapshot, without clearly emphasizing the risk of destructive replacement or requiring explicit user confirmation. In a skill that manages identity, memory, and other core workspace files, unclear warning language increases the chance of accidental data loss or rollback confusion during normal use.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README describes bidirectional sync of sensitive core workspace files and remote restore that overwrites local files, but it does not clearly foreground the security and privacy consequences of sending those files to GitHub or the risk of destructive replacement of local state. In this skill context, the affected files appear to contain agent identity, memory, and configuration data, so unclear documentation materially increases the chance of unintended exfiltration or accidental data loss.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script automatically uploads sensitive workspace files to a remote GitHub repository using `gh api`, but it provides no explicit runtime warning, confirmation prompt, or per-file review before transmitting data. Even though the skill description mentions backup/sync behavior, these files can contain identity, memory, and agent-state data, so silent transmission increases the risk of unintended disclosure if the user does not fully understand what will be sent or if repository ownership is misconfigured.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: On first initialization, if the remote repository exists, the script restores remote files into the local workspace and overwrites matching files without an explicit overwrite warning or confirmation. Although it creates a local snapshot first, the operation still trusts remote repository contents and can replace local state with unexpected or stale data, which is especially risky because these files appear to control agent identity and behavior.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - Always check `gh auth status` first. - If GitHub authentication is missing, stop and tell the user to run `gh auth login`. - Do not scan the whole workspace. - Do not ask the user to choose files unless they explicitly ask for a different scope. - Treat the fixed GitHub repo as the authority during first-time initialization on a new machine. - Before any remote restore overwrites local files, create a timestamped local backup snapshot under `skills/soul-undead/local-backups/`. - Do not keep a persistent local export mirror; sync should act directly on the GitHub private repo.
Confidence: 86% confidence
Finding: Do not ask the user

Session Persistence

Medium

Category: Rogue Agent
Content: - Do not scan the whole workspace. - Do not ask the user to choose files unless they explicitly ask for a different scope. - Treat the fixed GitHub repo as the authority during first-time initialization on a new machine. - Before any remote restore overwrites local files, create a timestamped local backup snapshot under `skills/soul-undead/local-backups/`. - Do not keep a persistent local export mirror; sync should act directly on the GitHub private repo. ## Important behavior: first restore can overwrite local default files
Confidence: 83% confidence
Finding: create a timestamped local backup snapshot under `skills/soul-undead/local-backups/`. - Do not keep a persistent local export mirror; sync should act directly on the GitHub private repo. ## Important

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal