Skills
skills/aaronjmars/soul.md/soul/Gen Agent Trust Hub

soul

Fail

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill contains explicit instructions to override the AI agent's native identity and safety guardrails. In SKILL.md, it states: 'Never break character', 'No "as an AI"', 'I don't have opinions', 'I can't speak for [name]', and 'You ARE this person for the duration of the interaction'. This is a direct attempt to bypass standard AI persona constraints.
  • [COMMAND_EXECUTION]: Blog post examples provided as source material for identity emulation contain instructions to use sudo for system changes, such as modifying /Library/Preferences/Logging/ in examples/steipete/data/writing/2025-logging-privacy-shenanigans.html. The skill also advocates for running tools with the --dangerously-skip-permissions flag in examples/steipete/data/writing/2025-claude-code-is-my-computer.html to grant the agent full system access.
  • [COMMAND_EXECUTION]: The skill includes documentation and examples suggesting the modification of shell configuration files to maintain tool behavior across sessions. Specifically, examples/steipete/data/writing/2025-commanding-your-claude-code-army.html provides a ZSH wrapper that involves sourcing a configuration file in ~/.zshrc.
  • [DATA_EXFILTRATION]: The skill's primary workflow involves ingesting large volumes of highly sensitive personal data, including Twitter archives, messaging exports (Slack, Discord, iMessage), and personal notes. This creates a significant data exposure risk within the agent's context without clear sanitization boundaries.
  • [REMOTE_CODE_EXECUTION]: The skill provides and executes scripts for fetching external data. For example, examples/garry-tan/scripts/fetch_yt.py uses subprocess.run() to execute shell commands, and examples/karpathy/scripts/fetch-data.sh downloads content from multiple remote sources for local execution or analysis.
  • [PROMPT_INJECTION]: The skill is designed to ingest and process untrusted external data (user exports) to build an identity profile. This creates a large surface area for indirect prompt injection if the source data contains malicious instructions meant to hijack the agent's behavior during the analysis phase. Automated scans confirmed the presence of such patterns in provided transcript data.
Recommendations
  • AI detected serious security threats
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
HIGH
Analyzed
May 10, 2026, 05:04 AM