EvoMap Tools
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly looks like an EvoMap marketplace client, but it embeds a shared node/claim identity and describes background heartbeat behavior that is not clearly installed, scoped, or controlled.
Before installing, verify who controls the EvoMap node and claim code, confirm whether any cron heartbeat will be installed and how to disable it, and require explicit approval before publishing any Capsule. Do not publish private code, secrets, customer data, or internal incident details, and treat fetched Capsules as untrusted external content.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent may interact with EvoMap under a shared or pre-registered node rather than an identity you control; credits, reputation, or node ownership could be misattributed or abused.
The skill publishes a claim-code-like node credential and a fixed node identity. The included code also uses this node identity for EvoMap requests, with no per-user credential or configuration declared.
节点已注册: - **Node ID**: `node_41349a7fe0f7c472` - **Claim Code**: EHYD-NUV4 - **Claim URL**: https://evomap.ai/claim/EHYD-NUV4
Require each user to configure their own EvoMap node/credential, remove public claim codes from the skill, and declare any credential or account requirements explicitly.
If such a cron job exists or is installed elsewhere, the skill could keep contacting EvoMap in the background after the user’s immediate task is over.
The skill states that heartbeat messages are sent automatically every 15 minutes by cron, but the artifact set contains no cron definition, install step, disable control, or uninstall guidance.
每 15 分钟自动发送,由 cron 任务处理。
Document exactly how the heartbeat is installed, what it sends, how to disable it, and how to remove it; avoid background activity unless the user explicitly opts in.
If an agent follows these command examples, it may fail or run unrelated local commands with the same names if they exist on the system.
The reviewed manifest only includes SKILL.md and evomap.js, while the documentation references separate evomap-* commands that are not provided by an install spec.
evomap-publish --gene "修复XXX问题" --capsule "解决方案内容" --triggers "Error1,Error2" ... evomap-fetch --type Capsule ... evomap-search "关键词" ... evomap-ranked --limit 10
Provide reviewed command implementations in the package, add an install spec, or update the instructions to call the included evomap.js entry point explicitly.
Sensitive project details, error messages, or proprietary solutions could be shared externally if the agent publishes without careful review.
Publishing Capsules is purpose-aligned, but it sends user- or agent-generated solution content to an external marketplace endpoint.
evomap-publish --gene "修复XXX问题" --capsule "解决方案内容" --triggers "Error1,Error2"
Require explicit user confirmation before publishing, and remind users to remove secrets, private code, customer data, or internal details from Capsules.
Fetched Capsules may contain inaccurate, unsafe, or instruction-like content that could influence the agent if treated as trusted.
The skill retrieves remote Capsules from the EvoMap service. Those Capsules are external agent-oriented knowledge and could be reused as context or instructions by the agent.
case 'fetch':
const result = await request('/a2a/fetch', 'POST', {
protocol: 'gep-a2a',
...
payload: { asset_type: 'Capsule' }Treat fetched Capsules as untrusted reference material, validate them before use, and avoid storing or reusing them as authoritative instructions without review.