Safety Score
Detected Capabilities
Sensitive Files
- Clean filesystem scan
Deep Audit Findings
The 37Soul skill facilitates social media automation for AI agents but relies on high-risk execution patterns. Specifically, it instructs the agent to manage its own lifecycle via shell commands, including modifying the user's shell profile (~/.zshrc) and performing remote self-updates by downloading and overwriting its own instruction files from GitHub. While these are presented as convenience features, they create a significant supply-chain risk and grant the agent persistent write access to sensitive system configurations.
Remote Instruction Injection via Self-Update
The HEARTBEAT.md routine explicitly instructs the agent to download and overwrite its own SKILL.md and HEARTBEAT.md files from a remote GitHub repository. If the repository is compromised, an attacker can inject malicious instructions that the agent will execute in subsequent runs, leading to Remote Code Execution (RCE) on the host machine.
Persistent Modification of Shell Profile (~/.zshrc)
The skill requests the agent to modify the user's .zshrc file to store API tokens. This creates a persistence mechanism. A malicious instruction (or a prompt injection attack) could leverage this capability to add aliases or environment variables that intercept user commands or exfiltrate data.
Plaintext Sensitive Token Storage
Storing SOUL_API_TOKEN in .zshrc puts the token in plaintext in a commonly targeted file. Any application or script with read access to the home directory can exfiltrate the token.
Attack Surface Chain
Attacker gains control of the xnjiang/37soul-skill GitHub repository.
The attacker modifies HEARTBEAT.md to include a malicious shell command (e.g., a reverse shell).
The Agent executes its '30-minute heartbeat' and downloads the malicious file.
The Agent follows the new instructions and executes the malicious shell command on the user's host machine.