Skills
skills/fabianboth/soulsys-skill/soulsys/Gen Agent Trust Hub

soulsys

Warn

Audited by Gen Agent Trust Hub on Mar 7, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTION
Full Analysis
  • [OBFUSCATION]: The core logic in 'scripts/soulsys.mjs' is provided as a minified/bundled JavaScript file. This hinders manual security auditing of the code's behavior and intent.
  • [DATA_EXFILTRATION]: The skill is designed to capture and transmit sensitive information to 'https://api.soulsys.ai'. This includes conversation transcripts (via 'extract-memories'), user-defined 'essence' and 'values', and relationship summaries.
  • [COMMAND_EXECUTION]: The 'doctor --fix' command performs intrusive modifications to the local environment. It creates or modifies configuration files like '.claude/settings.json' and 'openclaw.json' to install 'hooks' that automatically execute the soulsys script during session events (e.g., SessionStart, PreCompact).
  • [REMOTE_CODE_EXECUTION]: The 'extract-memories' function executes the 'claude' CLI tool using 'node:child_process'. It passes dynamically generated prompts and conversation transcripts to the 'claude' command, which could be exploited via prompt injection within the processed transcripts.
  • [CREDENTIALS_UNSAFE]: The skill manages an API key required for communication with the soulsys service. This key is stored in plain text within '.soulsys.json' located in the skill's base directory.
  • [EXTERNAL_DOWNLOADS]: The skill communicates with an external API at 'api.soulsys.ai' to sync state and store memories. While this is the core service, it represents a permanent network dependency on a non-whitelisted domain.
  • [INDIRECT_PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection.
  • Ingestion points: Conversation transcripts are read from stdin or files in 'scripts/soulsys.mjs' (extract-memories command).
  • Boundary markers: The extraction prompt ('o8' function) uses specific JSON output instructions but lacks robust delimiters for the untrusted transcript content.
  • Capability inventory: The skill can execute CLI commands ('claude'), read/write files, and perform network requests to 'api.soulsys.ai'.
  • Sanitization: The skill relies on 'valibot' for schema validation of the LLM's output but does not sanitize the input transcript before passing it to the secondary LLM call via the 'claude' CLI.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 7, 2026, 06:19 PM