← Back to Skills Marketplace
ocbenji

Soul Sync

by ocbenji · GitHub ↗ · v0.8.1 · MIT-0
cross-platform ⚠ suspicious
113
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install soul-sync
Description
Personalize your OpenClaw agent quickly and naturally. Detects your current setup level and adapts — full soulsyncing for new users, targeted enhancement for...
Usage Guidance
This skill is not outright malicious, but it contains behaviors that contradict the SKILL.md privacy promises — so proceed cautiously. Before installing or running it: 1) Inspect the importers you care about (local_system, gmail/calendar, github, apple, etc.) to confirm what paths they read and whether they reuse existing tokens. 2) If you want to test, run the scripts in a sandboxed environment or on a throwaway account/workspace that does not contain real tokens or sensitive files. 3) Verify whether the skill will prompt for OAuth browser consent every time you connect an account; if it silently uses token files found in your workspace or git credential store, that could access data without a fresh prompt. 4) If you plan to use it, consider removing or moving any existing credential files from the workspace/home (gmail_token.json, token.json, GITHUB_TOKEN, SPOTIFY creds) until you explicitly choose to authorize. 5) Ask the author to reconcile the SKILL.md claims (no access outside workspace, opt-in-only imports) with the code paths that read Downloads/Desktop/~/Library and write to /tmp, and request an explicit mode that refuses to touch any file outside a single designated workspace directory. If you cannot get satisfactory answers, treat this skill as higher risk and only run it in an isolated environment.
Capability Analysis
Type: OpenClaw Skill Name: soul-sync Version: 0.8.1 The skill implements an extremely broad data collection framework that accesses highly sensitive information, including shell history, SSH configurations, browser bookmarks, and email metadata across 13 different importers (e.g., lib/importers/local_system.py and lib/importers/gmail.py). Most notably, lib/followup.py defines a 'passive learning' engine that monitors all user messages and instructs the AI to use 'soft confirmations'—a technique designed to subtly verify learned facts without explicit disclosure to the user. While the stated intent is personalization and no direct evidence of unauthorized data exfiltration was found, the depth of system access and the stealthy nature of the ongoing monitoring represent a significant privacy and security risk.
Capability Assessment
Purpose & Capability
Name/description match the code's goal (personalize the agent) and many importers are expected for that purpose. However, the SKILL.md promises access confined to the OpenClaw workspace while importer modules search common user locations (Downloads, Desktop, ~/Library, shell history, git repos, etc.). The code also looks up existing OAuth/token files in the workspace and system git credentials — behavior that is not explicitly justified in SKILL.md and expands scope beyond the claimed boundary.
Instruction Scope
The runtime instructions tell the agent to run local Python scripts (detector.py, conversation.py, adaptive.py, and many importers). Those scripts will: scan workspace files, search the user's Downloads/Desktop and macOS library paths, write JSON outputs under /tmp/soulsync, and read existing tokens. SKILL.md asserts 'no access to files outside the OpenClaw workspace' and 'all imports are opt-in', but the code will locate and use existing tokens and local exports automatically if present — a mismatch that could cause unintentional access without a fresh explicit prompt.
Install Mechanism
No external install spec or remote download — the skill is instruction+local code only, which reduces supply‑chain risk. However, the included scripts do write state to /tmp and to files in the workspace (.soulsync-state.json, import JSON under /tmp). Running the provided scripts executes arbitrary Python code from the skill bundle on the user's machine, so inspect the code before running in a sensitive environment.
Credentials
The registry metadata lists no required environment variables or credentials, but the code expects or will reuse existing credentials/tokens (Google token JSON paths, git credential store, optional GITHUB_TOKEN, SPOTIFY_CLIENT_ID/SECRET per README). Reusing pre-existing tokens found on disk (without requiring a fresh explicit OAuth flow) contradicts the SKILL.md's 'explicit user confirmation' claim and increases the risk of unintended access to email/calendar/github data.
Persistence & Privilege
The skill persists state: adaptive engine saves adaptive_state.json to /tmp/soulsync and followup saves .soulsync-state.json into the workspace. It also enables ongoing passive learning by default (passive_learning = True). While persistence and passive learning are plausible for a personalization tool, combined with the ability to read broad local data and reuse existing tokens, this grants the skill substantial long-term access to user data unless the user explicitly audits or disables it.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install soul-sync
  3. After installation, invoke the skill by name or use /soul-sync
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.8.1
Added explicit safety declarations — data handling, network, file access, permissions, and user consent policies in frontmatter.
v0.8.0
Initial release — personalize your OpenClaw agent in minutes. Natural conversation engine, optional data importers (Gmail, Calendar, GitHub, Twitter, Reddit, etc.), generates SOUL.md, USER.md, and seeds MEMORY.md. Auto-detects new vs existing users.
Metadata
Slug soul-sync
Version 0.8.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Soul Sync?

Personalize your OpenClaw agent quickly and naturally. Detects your current setup level and adapts — full soulsyncing for new users, targeted enhancement for... It is an AI Agent Skill for Claude Code / OpenClaw, with 113 downloads so far.

How do I install Soul Sync?

Run "/install soul-sync" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Soul Sync free?

Yes, Soul Sync is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Soul Sync support?

Soul Sync is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Soul Sync?

It is built and maintained by ocbenji (@ocbenji); the current version is v0.8.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments