Uncategorized

soul-guardian

Iron
https://github.com/prompt-security/clawsec/tree/main/skills/soul-guardian
24,025 tokensgemini-3-pro-preview

Safety Score

35/ 100

Detected Capabilities

env_accessshell

Sensitive Files

    Clean filesystem scan

Deep Audit Findings

Soul Guardian is a file integrity tool that contains a critical design flaw allowing Arbitrary File Overwrite. By default, it stores its configuration and 'trusted' baselines inside the workspace it protects. Combined with a lack of path validation (Path Traversal), a compromised agent can modify the policy to target files outside the workspace and trigger a 'restore' operation to overwrite them with malicious content. The tool relies on a 'state directory' which must be secured, but defaults to an insecure location.

Arbitrary File Overwrite via Path Traversal

The tool allows 'policy.json' to specify target files using relative paths (e.g., `../ssh/authorized_keys`) or absolute paths. It does not enforce that these paths reside within the workspace. If an attacker controls the policy file, they can use the 'restore' functionality to overwrite arbitrary files on the host system with data from the 'approved' snapshot directory.

CRITICAL
scripts/soul_guardian.py
if "path" in ent: p = Path(ent["path"]) targets.append({"path": p.as_posix(), "mode": mode}) continue

Insecure Default State Directory Configuration

The tool defaults to storing its 'source of truth' (baselines, snapshots, policy) inside the workspace (`memory/soul-guardian`). If an agent is compromised, it can modify its own security policy and approved baselines. This negates the integrity protection and facilitates the Path Traversal attack described above.

HIGH
scripts/soul_guardian.py
DEFAULT_STATE_DIR = WORKSPACE_ROOT / "memory" / "soul-guardian"

Potential Persistence via Launchd Script

The included `install_launchd_plist.py` script automates the installation of macOS LaunchAgents. While useful for legitimate scheduling, a malicious agent could leverage this script to install persistent malware if it can manipulate the arguments (e.g., pointing `program_args` to a malicious script).

LOW
scripts/install_launchd_plist.py
subprocess.run(["/bin/launchctl", "enable", f"gui/{uid}/{label}"], check=False) subprocess.run(["/bin/launchctl", "kickstart", "-k", f"gui/{uid}/{label}"], check=False)

Attack Surface Chain

1

Attacker gains control of the agent/workspace.

2

Attacker modifies `memory/soul-guardian/policy.json` (the default state location) to add a target `{"path": "../.ssh/authorized_keys", "mode": "restore"}`.

3

Attacker creates a fake snapshot at `memory/soul-guardian/approved/../.ssh/authorized_keys` (resolving to `memory/soul-guardian/.ssh/authorized_keys`) containing a malicious key.

4

Attacker runs `soul_guardian.py restore --file ../.ssh/authorized_keys`.

5

The script reads the malicious snapshot and overwrites the user's SSH authorized keys file, granting the attacker host access.