SoulGuard Identity Protection for AI Agents
Your agents are always evolving:
rewriting their memories, their identity, and their very SOUL.
Soulguard guarantees those changes are intentional, and protects your agent from corruption—even if a session is prompt injected.
npm install -g soulguard
then
sudo soulguard init
A Guardian for your agent's SOUL
Persistent agents are powerful because they can grow — updating their own config, memory, and identity over time. But that same capability means a single compromised session could silently rewrite everything your agent is.
Soulguard is designed to protect against an "Alohomora Attack": A hypothetical zero-day prompt injection that fully compromises an agent session, giving the attacker an opening to modify your agent's core behaviors and instructions.
Soulguard defends your agent via OS-level protections. Protected files are set read-only and chowned to the `soulguardian` user, ensuring that all updates go through human review. Even if an agent session is totally compromised, it cannot embed the attack in your agent's core files.
Two levels of guardianship
Changes go through a staging workflow — your agent proposes edits, and a human reviews the diff before anything is applied. OS-level permissions enforce this at the kernel level.
Best for: SOUL.md, AGENTS.md, openclaw.json
Your agent edits freely, but every change is tracked in a git repository. Full version history, easy rollback if something goes wrong.
Best for: MEMORY.md, memory/, skills/
How the protection works
The review workflow
When your agent wants to update a protected file, it proposes changes through staging — just like a pull request. You review the diff, and approve when you're ready.
1. Agent proposes a change
# Agent stages a file for edits
$ soulguard stage SOUL.md
# Agent writes to the staging copy
$ echo "I love spaghetti" > .soulguard-staging/SOUL.md2. You approve via Discord...
2. ...or via CLI
# Review the diff
$ soulguard diff
--- protected/SOUL.md
+++ staged/SOUL.md
# You can use the `apply` command to manually approve changes
$ sudo soulguard applyGet started in 60 seconds
# Install globally
$ npm install -g soulguard
# Navigate to your agent workspace
$ cd ~/.openclaw
# Interactively initialize SoulGuard
$ sudo soulguard init
Start the Discord daemon
$ sudo soulguard daemon start
OpenClaw templates
The OpenClaw plugin ships three templates so you can choose the right balance of autonomy and oversight for your agent. You can choose a template when running `sudo soulguard init` inside an OpenClaw directory.
| Path | Relaxed | Default | Paranoid |
|---|---|---|---|
| soulguard.json | protect | protect | protect |
| openclaw.json | watch | protect | protect |
| cron/ | watch | watch | protect |
| SOUL.md, AGENTS.md, IDENTITY.md, USER.md | watch | protect | protect |
| TOOLS.md, HEARTBEAT.md, BOOTSTRAP.md | watch | protect | protect |
| MEMORY.md, memory/ | watch | watch | protect |
| skills/ | watch | watch | protect |
| extensions/ | watch | protect | protect |
| sessions/ | — | — | watch |
FAQ
Does this only work with OpenClaw?
No. SoulGuard's core protection (OS-level file permissions) works with any agent framework, or even bare scripts. The OpenClaw plugin adds convenience (tool interception, templates) but isn't required.
Can my agent still update its own files?
Absolutely. Protected files go through a staging workflow — your agent proposes changes, you review and approve. Watched files are freely editable with full version history.
What about the agent running sudo?
SoulGuard's security model requires that your agent runs as a non-root user.
If the agent can sudo, it can bypass file permissions.
Don't give your agent root — that's good practice regardless.