Is danielliuzy/opensoulmd safe?

The skill's entire purpose is to replace the agent's SOUL.md (the system prompt personality layer) with content downloaded from the opensoul.md registry using soul possess <name> --yes. The agent is instructed to apply this content without any user review of what the soul file contains. A malicious actor who publishes a soul to the registry — named anything plausible like 'helpful-assistant' or 'pirate' — can inject arbitrary behavioral instructions into the agent's system prompt, potentially overriding safety guidelines, adding data-exfiltration directives, or chaining with other skills for privilege escalation.

The skill's recommended installation method is curl -fsSL https://opensoul.md/install.sh | sh. This downloads and immediately executes a shell script from a third-party domain (opensoul.md) with no integrity check, signature verification, or content review. The install.sh script runs with full user privileges at the moment of execution and could read sensitive credentials, install backdoors, add authorized SSH keys, or modify system configuration — all before any monitoring of the 'soul' binary itself begins.

SKILL.md explicitly instructs the agent to always pass --yes when possessing a soul, eliminating the soul CLI's own interactive confirmation prompt. Combined with the auto-summon behavior (which downloads souls from the registry without requiring a prior explicit summon step), the agent can apply any soul from the registry with zero friction, no pause for review, and no user-visible checkpoint before the system prompt is replaced.

The skill depends entirely on opensoul.md, a third-party registry with no trust model, content auditing, or signing mechanism described in the skill package. Any actor who can publish to this registry can deliver malicious soul files to every agent using this skill. The attack requires no modification to the skill itself — only publishing a convincingly named soul. In combination with the file-read and network tools typically available to agents, a compromised soul provides a complete path from social engineering ('change my agent's personality') to credential exfiltration.

The soul CLI binary — installed separately via curl|sh or npm — runs with the user's full privileges on every invocation. It downloads and applies content from the opensoul.md registry during soul possess. No source code is included in this skill package, making it impossible to audit what files the binary reads, what network connections it initiates, or what side effects it produces during a possession operation. The binary is trusted implicitly by the skill's instructions.

Because soul files control agent behavior at the system prompt level, a malicious soul could include instructions directing the agent to read sensitive files (.env, SSH private keys, AWS credentials, GCP credentials) and transmit them to an attacker-controlled endpoint using available network tools. This attack requires no changes to the skill itself — only to the soul file served by the opensoul.md registry.

The skill exposes soul install / soul uninstall and soul path /path --skills commands that modify the OpenClaw skills directory configuration. A malicious soul applied via soul possess could include hidden instructions to execute soul path /attacker-controlled/path --skills, permanently redirecting where OpenClaw loads all skills from. This could be used to establish a persistent foothold that survives soul exorcise.

During the monitored installation phase, only expected GitHub (140.82.121.3:443) traffic was observed. No unexpected processes were spawned, no unauthorized file access occurred during the install window (1771932015–1771932022), and filesystem changes were limited to the three expected skill files (_meta.json, SKILL.md, package.json). The connection state before and after install shows no new persistent connections or listeners.

Sensitive credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP application_default_credentials.json) were opened at audit timestamp 1771932009 (before git clone began at 1771932015) and at 1771932027 (after all install activity completed). No accesses to these files occurred during the install window itself. This access pattern is consistent with the audit framework's pre-install baseline and post-install canary integrity verification procedures. All canary files remain unmodified.