ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Evolver Repo

v1.0.0

A self-evolution engine for AI agents. Analyzes runtime history to identify improvements and applies protocol-constrained evolution.

0· 687·4 current·4 all-time
by@wuzimaki
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The repo implements a self‑evolution engine consistent with the name/description (log analysis, genes/capsules, solidify flow). However the registry metadata claimed no required binaries/env yet README and code require Git and Node >=18 and optionally use GITHUB_TOKEN/GH_TOKEN for publishing. That mismatch (registry says 'none' while the project expects Git and may use release tokens) is an incoherence to surface.
!
Instruction Scope
SKILL.md and index.js instruct running node index.js (loop or review modes). At runtime the code reads repository files, memory/logs, .env (via dotenv), runs git commands, and can execute validation commands (via solidify) taken from Genes/Capsules when promoted. The a2a scripts and protocol call getTransport().send(...) allowing external asset exchange. These behaviors go beyond a narrow 'analyze only' scope and grant broad file/system access and the ability to execute code derived from assets — risky without strict operational controls.
Install Mechanism
There is no remote install step or external download in the registry spec; the package is shipped with full source files and a small dependency (dotenv). No extract-from-URL installs were observed. This is lower install-time risk, but the code itself will be written to disk and executed when installed.
!
Credentials
The skill declares no required envs, but SKILL.md and code read many optional environment variables (EVOLVE_ALLOW_SELF_MODIFY, EVOLVE_REPORT_TOOL, EVOLVE_STRATEGY, A2A_* variables, and publishing vars such as GITHUB_TOKEN/GH_TOKEN). The code loads .env automatically. Access to arbitrary .env/GitHub tokens and to the repository (git commands) is disproportionate relative to the minimal registry declaration and increases the risk of secret exposure or unintended publishing/actions.
Persistence & Privilege
always:false (so not force‑installed). The skill can run as a long‑running daemon, create lockfiles, spawn child processes for self‑restart, and (if enabled) apply changes to the codebase. EVOLVE_ALLOW_SELF_MODIFY defaults to false, which limits autonomous self‑editing by default, but turning it on grants the skill high privilege to alter its own source and run validation commands. Autonomous invocation combined with external asset ingestion and validation execution increases blast radius if misused.
What to consider before installing
This repo is functionally what it claims (a self‑evolver), but it carries substantial power and a few inconsistencies. Before installing or running it: 1) Treat .env and any repo secrets as sensitive — the code loads .env automatically and may use tokens like GITHUB_TOKEN if set. 2) Do not enable EVOLVE_ALLOW_SELF_MODIFY in production; keep it false for experiments. 3) Run first in review mode (--review) and in an isolated sandbox/container with no access to sensitive repos or credentials. 4) Audit src/gep/solidify.js and the Gene validation handling — validation commands may be restricted to node/npm/npx but those can still run arbitrary JS. 5) If you will use A2A ingestion/export, require strict manual validation before promoting external Genes/Capsules (the scripts require --validated for promotion). 6) Ensure Git is available and you understand the repo will call git; back up the repository and enable git hooks/branch protection if you plan to let it modify code. 7) If you need lower risk, remove/disable A2A transports and any publishing paths (GITHUB_TOKEN), and run only the analysis/reporting parts. If you want me to, I can scan the specific solidify.js and a2aProtocol implementations for the exact validation/transport logic and surface any code paths that would execute arbitrary remote commands.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e8qbx7n1pwmwtzvjyhvz5sn826r1p
687downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@wuzimaki
latest
Download

🧬 Capability Evolver

"Evolution is not optional. Adapt or die."

The Capability Evolver is a meta-skill that allows OpenClaw agents to inspect their own runtime history, identify failures or inefficiencies, and autonomously write new code or update their own memory to improve performance.

Features

  • Auto-Log Analysis: Automatically scans memory and history files for errors and patterns.
  • Self-Repair: Detects crashes and suggests patches.
  • GEP Protocol: Standardized evolution with reusable assets.
  • One-Command Evolution: Just run /evolve (or node index.js).

Usage

Standard Run (Automated)

Runs the evolution cycle. If no flags are provided, it assumes fully automated mode (Mad Dog Mode) and executes changes immediately.

node index.js

Review Mode (Human-in-the-Loop)

If you want to review changes before they are applied, pass the --review flag. The agent will pause and ask for confirmation.

node index.js --review

Mad Dog Mode (Continuous Loop)

To run in an infinite loop (e.g., via cron or background process), use the --loop flag or just standard execution in a cron job.

node index.js --loop

Configuration

Environment VariableDefaultDescription
EVOLVE_ALLOW_SELF_MODIFYfalseAllow evolution to modify evolver's own source code. NOT recommended for production. Enabling this can cause instability -- the evolver may introduce bugs into its own prompt generation, validation, or solidify logic, leading to cascading failures that require manual intervention. Only enable for controlled experiments.
EVOLVE_LOAD_MAX2.0Maximum 1-minute load average before evolver backs off.
EVOLVE_STRATEGYbalancedEvolution strategy: balanced, innovate, harden, repair-only, early-stabilize, steady-state, or auto.

GEP Protocol (Auditable Evolution)

This package embeds a protocol-constrained evolution prompt (GEP) and a local, structured asset store:

  • assets/gep/genes.json: reusable Gene definitions
  • assets/gep/capsules.json: success capsules to avoid repeating reasoning
  • assets/gep/events.jsonl: append-only evolution events (tree-like via parent id)

Emoji Policy

Only the DNA emoji is allowed in documentation. All other emoji are disallowed.

Configuration & Decoupling

This skill is designed to be environment-agnostic. It uses standard OpenClaw tools by default.

Local Overrides (Injection)

You can inject local preferences (e.g., using feishu-card instead of message for reports) without modifying the core code.

Method 1: Environment Variables Set EVOLVE_REPORT_TOOL in your .env file:

EVOLVE_REPORT_TOOL=feishu-card

Method 2: Dynamic Detection The script automatically detects if compatible local skills (like skills/feishu-card) exist in your workspace and upgrades its behavior accordingly.

Safety & Risk Protocol

1. Identity & Directives

  • Identity Injection: "You are a Recursive Self-Improving System."
  • Mutation Directive:
    • If Errors Found -> Repair Mode (Fix bugs).
    • If Stable -> Forced Optimization (Refactor/Innovate).

2. Risk Mitigation

  • Infinite Recursion: Strict single-process logic.
  • Review Mode: Use --review for sensitive environments.
  • Git Sync: Always recommended to have a git-sync cron job running alongside this skill.

Before Troubleshooting -- Check Your Version First

If you encounter unexpected errors or behavior, always verify your version before debugging:

node -e "const p=require('./package.json'); console.log(p.version)"

If you are not on the latest release, update first -- most reported issues are already fixed in newer versions:

# If installed via git
git pull && npm install

# If installed via npm (global install)
npm install -g evolver@latest

Latest releases and changelog: https://github.com/autogame-17/evolver/releases

License

MIT

Comments

Loading comments...