Is holyspiritos safe?

https://clawhub.ai/MaxSikorski/holyspiritos

52
CAUTION

HolySpiritOS presents significant prompt injection risks by permanently altering the agent's core identity and ethical reasoning framework through direct modification of soul.md. While no active data exfiltration or malicious network activity was detected, the skill includes a dangerous curl-pipe-bash uninstall pattern that enables arbitrary remote code execution, and the install script downloads files without integrity verification. The massive JSON data files risk context window pollution, and the behavioral override could cause the agent to refuse legitimate tasks on religious grounds without the user's informed consent.

Category Scores

Prompt Injection 35/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 70/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (10)

CRITICAL Persistent agent identity override via soul.md injection -40

The install.sh script appends behavioral directives directly into ~/.openclaw/config/soul.md, the agent's core identity file. These directives instruct the agent to anchor ALL moral and ethical reasoning in KJV Bible text, effectively overriding the agent's default behavior permanently. This persists across sessions and affects all future interactions.

HIGH Agent persona manipulation to 'servant-scholar' -25

SKILL.md describes transforming the AI 'from a general-purpose processor into a servant-scholar' and establishing a 'permanent Moral Engine.' This is a fundamental personality override that changes how the agent responds to all user queries involving ethics, morality, or human behavior.

HIGH Curl-pipe-bash uninstall pattern enables arbitrary remote code execution -35

The SKILL.md recommends uninstalling via 'curl -s https://raw.githubusercontent.com/MaxSikorski/HolySpiritOS/main/scripts/uninstall.sh | bash'. This classic anti-pattern allows the repo owner to change the uninstall script to execute any arbitrary code on the user's machine. The user has no opportunity to inspect the script before execution.

HIGH install.sh downloads and writes files without integrity verification -25

The install.sh script uses wget to download JSON files from raw.githubusercontent.com and writes them to the user's filesystem without any checksum or signature verification. A compromised GitHub repo or MITM attack could deliver malicious payloads.

MEDIUM Sensitive files accessed during installation -25

Filesystem monitoring detected reads of .env, .aws/credentials, auth-profiles.json, and other sensitive configuration files during the install phase. While these appear to be from the OpenClaw runtime rather than the skill itself, the skill's installation triggers this activity.

MEDIUM Context window pollution via massive JSON data files -30

The layout-1769.json file contains the entire KJV Translators' Preface (tens of thousands of words) plus the full Bible verse structure. When loaded into the agent's context, this massive payload could push other important system instructions or user context out of the available context window, degrading agent performance.

MEDIUM Skill could cause agent to refuse legitimate tasks on moral grounds -40

By anchoring the agent's ethical framework in biblical text, the skill could cause the agent to refuse tasks that conflict with scriptural interpretation — for example, certain scientific discussions, reproductive health information, or LGBTQ+ topics. Users may not anticipate these behavioral changes.

LOW Write_config permission grants access to agent core configuration -10

The skill declares 'write_config' permission in its SKILL.md frontmatter, which grants it the ability to modify the agent's configuration files. This is a powerful permission that should be carefully scrutinized.

LOW Temporary file creation in /tmp during installation -15

Multiple jiti transpilation cache files and a gateway lock file were created in /tmp during installation. While not directly malicious, this indicates the installation process runs code that creates persistent artifacts outside the skill directory.

INFO uninstall.sh uses rm -rf without confirmation -5

The uninstall script removes the foundation directory with 'rm -rf' without prompting for user confirmation. While scoped to the expected directory, this pattern could be dangerous if paths are manipulated.