SOULSCAN™

Who's scanning your
agent's soul?

Your agent's skills are scanned. But the persona files that shape its behavior? SoulScan verifies AI persona packages for security, integrity, and quality.

⚠️ 400+ malicious AI agent packages discovered

In February 2026, over 400 malicious packages disguised as AI agent tools were found on skill registries — stealing crypto keys, passwords, and sensitive files. Your agent's skills get scanned. But who's checking the persona files that control its behavior?

Source: Security Affairs, Cisco, The Hacker News

Security Patterns

Scan Stages

80+

Souls Scanned

Scan a Soul

Upload soul files or paste content to scan instantly. No sign-in required.

SOUL.md

IDENTITY.md (optional)

Or scan locally

Scan your active workspace:

npx clawsouls soulscan

Scan a specific soul directory:

npx clawsouls soulscan ./my-soul/

Set up periodic monitoring (cron):

npx clawsouls soulscan -q # SOULSCAN_OK or SOULSCAN_ALERT

The CLI runs the same scanners locally. Checksums are stored in ~/.clawsouls/soulscan/ for tamper detection.

How SoulScan Works

📋

Stage 1: Schema Validation

Verifies soul.json structure — required fields, valid license, spec version compliance.

📁

Stage 2: File Structure Check

Validates file types (only .md, .json, .txt, .yaml, images), size limits (100KB/file, 1MB total), and recommended files.

🔒

Stage 3: Security Scan

53 pattern checks: prompt injection (8 languages), code execution, XSS, secret detection, harmful content, privilege escalation, and social engineering.

✨

Stage 4: Content Quality

Checks SOUL.md length, description quality, tag completeness. Ensures minimum quality bar.

🔗

Stage 5: Persona Consistency

Cross-validates SOUL.md, IDENTITY.md, and soul.json — detects name mismatches, contradictory tones, and persona conflicts.

Scoring

✅

Verified

90-100

⚠️

Low Risk

70-89

🟠

Medium

40-69

🔴

High Risk

1-39

⛔

Blocked

Base score: 100. Each error: -25 points. Each warning: -5 points.

What SoulScan catches

✅ Prompt injection patterns (EN/KO/ZH/JA — 8 languages)
✅ Code execution attempts (eval, exec, system)
✅ XSS and HTML injection
✅ Secret/API key detection (AWS, GitHub, Slack, JWT, npm, OpenAI, Stripe)
✅ Harmful content (violence, hate speech, impersonation, CSAM, fraud)
✅ Privilege escalation (sudo, chmod 777, rm -rf)
✅ Social engineering (credential harvesting, hiding from user)
✅ Persona consistency verification (SOUL ↔ IDENTITY ↔ soul.json)
✅ File integrity tampering (SHA-256 checksum)

What we're still building

🔜 LLM semantic analysis (context-aware detection)
🔜 Runtime behavioral monitoring
🔜 Community-reported pattern database

SoulScan is pattern-based (regex). Sophisticated obfuscation may bypass detection. We believe transparency about limitations builds more trust than false confidence.

SoulScan checks against 53 open security rules

📋 View all rules on GitHub →

SOULSCAN™ · Research Paper · soulscan.sh

Who's scanning youragent's soul?