Code PluginExecutes codesource-linked

Soul Market

@souls_market/openclaw-plugin

Community code plugin. Review compatibility and verification before install.

@souls_market/openclaw-plugin · runtime id soul-market-souls-market

Install

openclaw plugins install clawhub:@souls_market/openclaw-plugin

Latest Release

Version 2026.3.29

Download zip

Compatibility

{
  "builtWithOpenClawVersion": "2026.3.29-1",
  "pluginApiRange": "^1.2.0"
}

Capabilities

{
  "bundledSkills": [],
  "capabilityTags": [
    "executes-code"
  ],
  "channels": [],
  "commandNames": [],
  "configSchema": true,
  "configUiHints": false,
  "executesCode": true,
  "hooks": [],
  "httpRouteCount": 0,
  "materializesDependencies": false,
  "providers": [],
  "runtimeId": "soul-market-souls-market",
  "serviceNames": [],
  "setupEntry": false,
  "toolNames": []
}

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description match the code and manifest: the plugin registers search, export, and analyze tools and calls a SOUL registry API (default https://api.souls.market). No unrelated binaries, env vars, or config paths are requested.

ℹ

Instruction Scope

The SKILL.md content provided is effectively the package/manifest metadata (package.json/openclaw.plugin.json) and the shipped dist/index.js implements network calls to the configured registry. The runtime only references the plugin config (registryUrl, optional apiToken) and does not instruct reading local user files or unrelated environment variables.

✓

Install Mechanism

There is no install spec and the distribution ships built JS (dist). No remote downloads or archive extraction are performed by an installer; runtime network activity is limited to the configured registry endpoint.

✓

Credentials

The plugin requires no environment variables or credentials by default. It accepts an optional apiToken via plugin config/SecretRef which is appropriate for authenticating to the registry. There are no extra or unexplained credential requests.

✓

Persistence & Privilege

always is false and model invocation is allowed (platform default). The plugin registers tools via the OpenClaw plugin API and does not request system-wide configuration changes or access to other skills' credentials.

Assessment

This plugin appears to do what it says: it contacts a SOUL registry (default https://api.souls.market) to search, export, and analyze packages. Before installing: 1) Only supply an apiToken if you trust the registry; the token will be sent as a Bearer header to whatever registryUrl you configure. 2) Do not point registryUrl to an untrusted or attacker-controlled endpoint (it can be overridden in config). 3) Because the plugin performs network requests, prefer enabling it only for users who need the functionality and avoid giving it sensitive credentials unrelated to the registry. Otherwise the package looks internally consistent with its purpose.

dist/index.js:607

File read combined with network send (possible exfiltration).

About static analysis

These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Verification

{
  "hasProvenance": false,
  "scanStatus": "clean",
  "scope": "artifact-only",
  "sourceCommit": "88dddbab2be23bcb01b1b532f315acb2f9ce2aa2",
  "sourceRepo": "Gyliiiiii/souls-market",
  "sourceTag": "88dddbab2be23bcb01b1b532f315acb2f9ce2aa2",
  "summary": "Validated package structure and linked the release to source metadata.",
  "tier": "source-linked"
}