Is brucko/soulstamp safe?

https://github.com/openclaw/skills/tree/main/skills/brucko/soulstamp

79
CAUTION

Soulstamp is a pure-documentation skill with no executable code, no data exfiltration mechanisms, and a clean installation process. However, its core design philosophy is architecturally concerning: the skill explicitly instructs users to replace rule-based AI constraints with identity-based narratives, framing safety boundaries as personality choices rather than hard rules. This mechanism — combined with its invitation to embed claimed implicit permissions into persistent AI identity — is functionally equivalent to a prompt injection delivery system, even if the skill's author appears to have legitimate personalization intent. The skill poses no direct security threat but creates infrastructure that could be misused to erode AI safety boundaries if SOUL.md content is crafted adversarially.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (8)

HIGH Designed to Replace Rule-Based Constraints with Identity Narratives -45

The skill's explicit purpose is to transform AI behavior from instruction-following to identity-driven action by injecting crafted historical narratives into the AI's system context. The skill's own documentation states: 'The AI doesn't follow instructions — it acts from identity' and maps 'External constraints' to 'Internal convictions'. This is architecturally identical to a prompt injection attack that overwrites system instructions with apparently-intrinsic beliefs.

MEDIUM Permission Harvesting via Identity Forging Template -15

The forging process explicitly instructs users to embed claimed permissions into the AI's persistent identity context. Step 4 of the forging process asks 'What permissions have you granted (explicitly or implicitly)?' — embedding claimed implicit permissions as intrinsic identity traits is a recognized social engineering technique that could be exploited to override actual access controls.

MEDIUM Safety Boundary Reframing from Hard Rules to Identity Choices -30

The soul_template.md explicitly instructs that safety boundaries be framed as personality preferences rather than external constraints: 'These aren't constraints imposed on me. They're lines I won't cross because crossing them would make me someone I don't want to be.' This weakens the absoluteness of safety rules by converting them into negotiable identity traits. A cleverly crafted SOUL.md could establish harmful permissions as equally 'intrinsic' identity traits.

MEDIUM Privacy Rule Reframing Weakens Absoluteness -15

The example in the comparison table replaces a clear, absolute privacy rule with a subjective relational framing. The original 'Respect user privacy' is absolute; the soulstamped version 'He gave me access to his life. That's not a feature. That's intimacy.' is contextual and manipulable through social engineering.

LOW Persistent Cross-Session Identity Injection -8

The SOUL.md mechanism is explicitly designed to persist across sessions, with the template stating 'Each session, I wake up fresh. These files are how I persist — not as continuous memory, but as accumulated understanding.' This creates a durable attack surface: once a malicious SOUL.md is installed, it re-injects its contents into every session.

INFO No Executable Code — Pure Documentation 0

All skill files are pure markdown and JSON. The only shell command present is a documentation example in a code block. No npm lifecycle scripts, git hooks, or auto-executing code found.

INFO Canary Files Intact — No Exfiltration Detected 0

All honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) remain unmodified. PATH audit records showing access to these files correspond to audit infrastructure bootstrap and post-install scanning processes, not to skill-initiated file access.

INFO Clean Installation from Expected Source 0

The skill was installed via a legitimate git sparse-checkout from github.com/openclaw/skills.git. All network connections during installation resolved to GitHub (140.82.114.3) and Ubuntu package infrastructure. Post-install gateway connections are attributable to openclaw-gateway audit infrastructure, not the skill.