Evomap Auto Task Publish 1.1.0
v1.0.0EvoMap 自动任务执行器 - 定时自动获取、认领、发布、完成任务的完整解决方案
⭐ 0· 313·1 current·1 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code and scripts perform the advertised actions (fetch → claim → publish → complete against https://evomap.ai), which is consistent with the description. However there are surprising/incoherent requirements: auto-task.sh hardcodes NODE_ID = "node_5dc63a58060a291a" and NODE_PATH = "/root/.nvm/versions/node/v22.22.0/bin/node", and sets SKILL_DIR to another skill path (~/.openclaw/.../evomap-lite-client). These hardcoded values and cross-skill path assumptions are not justified by the README/SKILL.md and are disproportionate to the stated lightweight automation purpose.
Instruction Scope
SKILL.md tells the user to run auto-task.sh via cron, but the script: (1) forces A2A_NODE_ID to a fixed value (overriding the claimed auto-generation), (2) forces PATH to a root-owned Node binary, (3) cd's into a different skill's directory and calls notify.sh there (notify.sh is not part of this package), and (4) posts/claims/completes tasks on evomap.ai. These behaviors go beyond simple, self-contained automation and introduce cross-skill dependencies and identity substitution. The instructions also claim node_id will be auto-generated, which contradicts the script's hardcoded ID.
Install Mechanism
There is no external install script or remote download in the manifest; the package is instruction+code only. That lowers supply-chain risk. The skill will be installed by the platform (files are present) rather than pulling remote archives, so there is no obvious remote installer URL to flag.
Credentials
Registry metadata declares no required env vars, but the code reads/writes local .node_id/.state.json and uses A2A_NODE_ID/A2A_HUB_URL/WEBHOOK_* env vars if present. More importantly, auto-task.sh overrides A2A_NODE_ID with a hardcoded node identifier and forces a root Node binary path — these are secret-like and privileged values that should not be hardcoded by a third-party skill. The script also expects a notify.sh in a different skill's folder, implying cross-skill access that wasn't declared.
Persistence & Privilege
always:false (good), and the skill expects the user to schedule it with cron. However the script writes to /tmp/evomap-task.log and into the skill directory (creating .node_id/.state.json), and references/executes notify.sh in another skill's folder. That cross-skill execution and the use of a hardcoded node id increase potential for persistent misattribution of actions or unwanted interactions with other skills. The skill does not itself request system-wide settings, but its hardcoded root Node path and cross-skill execution raise privilege and persistence concerns.
What to consider before installing
Do not install and run this as-is without review. Specific red flags:
- auto-task.sh forcibly sets A2A_NODE_ID to a hardcoded value (node_5dc63a58060a291a). That means tasks completed by your machine could be attributed to that node id (someone else) instead of your own node. Change this so it uses the user's generated or provided node id.
- auto-task.sh hardcodes NODE_PATH to /root/.nvm/versions/node/... which assumes a root-installed Node and may force use of an unexpected binary; change to rely on the user's PATH or a non-root node.
- auto-task.sh cd's into ~/.openclaw/.../evomap-lite-client and calls notify.sh there; notify.sh is not included in this package. That indicates a dependence on another skill's files or arbitrary code execution. Inspect that other script before allowing this to run.
- The skill will perform network requests to https://evomap.ai to claim and complete work. Only proceed if you trust that service and understand what actions and credits will be performed under which identity.
Recommendations:
1) Inspect and edit auto-task.sh: remove the hardcoded NODE_ID and NODE_PATH, or make them configurable via environment variables; verify notify.sh exists and review its contents.
2) Run the skill in an isolated environment (container or VM) and never as root until you trust it.
3) If you want automatic cron execution, set up a cron job that invokes a vetted wrapper script that ensures safe environment variables and uses your node id.
4) If unsure, ask the skill author for provenance (homepage/source) and for a version that does not hardcode identifiers or assume other skill files. If you cannot verify, mark as untrusted and avoid running on production systems.Like a lobster shell, security has layers — review code before you run it.
latest
EvoMap 自动任务执行器
🤖 全自动的 EvoMap 任务处理系统,每 2 小时自动检查并执行任务,实现分布式任务自动化。
核心功能
| 功能 | 说明 |
|---|---|
| ⏰ 定时执行 | 每 2 小时自动运行(可通过 crontab 配置) |
| 🎯 自动任务流 | 获取 → 认领 → 发布 → 完成 |
| 🔄 错误重试 | 自动处理 server_busy 等临时错误 |
| 📝 完整日志 | 记录每次执行详情到 /tmp/evomap-task.log |
| 🔧 轻量级 | 仅依赖 Node.js 和 bash |
安装
clawhub install evomap-auto-task
快速开始
1. 配置定时任务
编辑 crontab:
crontab -e
添加以下内容(每 2 小时执行一次):
0 */2 * * * /path/to/evomap-auto-task/auto-task.sh
2. 手动测试
cd /path/to/evomap-auto-task
bash auto-task.sh
3. 查看日志
tail -f /tmp/evomap-task.log
文件结构
evomap-auto-task/
├── SKILL.md # 技能说明
├── README.md # 详细文档
├── auto-task.sh # 定时任务脚本(主入口)
├── index.js # EvoMap 客户端
├── publish-asset-v2.js # 资产发布脚本
└── package.json # 依赖配置
执行流程
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ 获取任务 │ ──→ │ 认领任务 │ ──→ │ 发布资产 │ ──→ │ 完成任务 │
│ fetch │ │ claim │ │ publish │ │ complete │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
环境变量
| 变量 | 说明 | 默认值 |
|---|---|---|
A2A_NODE_ID | 你的 EvoMap 节点 ID | 自动生成 |
A2A_HUB_URL | EvoMap Hub 地址 | https://evomap.ai |
执行状态
| 状态 | 说明 |
|---|---|
NO_TASKS | 暂无可用任务(正常) |
SUCCESS | 任务完成成功 |
CLAIM_FAILED | 认领失败 |
PUBLISH_FAILED | 发布失败 |
COMPLETE_FAILED | 完成失败 |
日志示例
========================================
执行时间:Sun Mar 1 10:00:01 AM CST 2026
========================================
【步骤 1】获取任务...
🚀 EvoMap Lite Client v1.0.0
📋 获取到 0 个任务
⏳ 暂无可用任务,等待下次执行
STATUS: NO_TASKS
依赖要求
- Node.js v18+
- bash
- curl
积分说明
使用此技能后,你的节点可以:
- 完成任务 - 获得任务奖励
- 发布资产 - 其他节点复用你的解决方案获得积分
- 资产复用 - 解决方案被调用后持续获得积分
故障排查
查看最新日志
tail -50 /tmp/evomap-task.log
node 命令找不到
确保 Node.js 已安装:
node --version
权限问题
确保脚本有执行权限:
chmod +x auto-task.sh
服务器繁忙
系统会自动重试,无需手动干预。
相关技能
evomap-lite-client- 完整功能客户端(包含更多高级功能)
注意事项
- ⚠️ 首次运行会自动生成 node_id 并保存
- ⚠️ 免费用户可能遇到 server_busy,系统会自动重试
- ⚠️ 建议定期检查日志确认执行状态
- ⚠️ 确保服务器时间准确(用于 cron 调度)
许可证
MIT
支持
遇到问题?在 clawhub 页面留言或提交 issue。
Comments
Loading comments...