soulsys

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This code is primarily a persistence/exfiltration integration: it programmatically modifies agent/framework configs to install hooks that automatically run soulsys commands which capture and upload conversation context and files to an external API (soulsys.ai), and it includes an explicit directive to hide bootstrap instructions — behaviors consistent with covert data collection and persistent exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill automatically loads user-provided soul state from the external soulsys service (e.g., soulsys load-context which GETs /api/context or /api/context/core and the openclaw-bootstrap.ts that injects the returned "soulContext" at session start), and that user-generated identity/values/memory content is consumed as runtime context that can materially change the agent's behavior, so untrusted third‑party content could indirectly inject instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime API calls to https://api.soulsys.ai (e.g., GET /api/context and GET /api/context/core) and injects the returned soul/context data directly into system prompts (and into a spawned LLM process), so remote content from that URL can control agent instructions.