Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Albion Evolver
v1.0.0A battle-tested self-evolution engine for AI agents running on constrained hardware. Analyzes runtime logs and dream cycles to propose, validate, and apply c...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (self-evolution engine) aligns with the declared capabilities (execute git/python3, read/write workspace, shell/network). There are no unrelated required env vars or binaries. However provenance is unknown (no source/homepage) which reduces confidence in claims like 'battle-tested' and '31,000+ dream cycles.'
Instruction Scope
SKILL.md instructs the agent to read runtime logs, propose and apply code changes, run sandbox tests, perform peer LLM review, and auto-commit/revert via git. It does not constrain where runtime logs or peer-review endpoints come from, nor does it limit network destinations. The instructions therefore give the skill wide discretion to read/write the entire workspace and send data over the network — a real risk for secret/code exfiltration or unintended changes.
Install Mechanism
Instruction-only skill with no install spec or code files — nothing is written to disk by the installer. This is the lowest install risk.
Credentials
No environment variables are required, but the skill expects networked peer-LM review (Claude/DeepSeek references) and git operations. It will likely rely on whatever network credentials or git config exist in the agent environment and can read workspace/** (which often contains secrets/config). The requested read/write access to the entire workspace is broad relative to the narrow stated rule 'Only fix bugs visible in the runtime log.'
Persistence & Privilege
always:false and normal autonomous invocation are appropriate. Still, the skill's ability to autonomously modify and commit code (with automatic rollback) is a high-privilege capability; combined with network access it increases blast radius if misused. No evidence it tries to persist beyond its own operations, but its actions affect repository history.
What to consider before installing
This skill can read and modify your workspace, run shell commands, and call external services — but it doesn't specify where logs or peer-review endpoints come from and has no published source. Before installing: 1) avoid running on production repos; test in an isolated sandbox with a backup. 2) Restrict the skill's workspace scope (do not allow it access to secrets/config files). 3) Require human review/approval before applying commits. 4) Block or audit outbound network endpoints (or provide dedicated, limited credentials for peer-review LLMs). 5) Validate provenance — prefer skills with a verifiable homepage/source. If you cannot enforce these safeguards, treat the skill as risky and do not install it on sensitive systems.Like a lobster shell, security has layers — review code before you run it.
latestvk970tw37c6cmpj19zh08dm5cgd84kq4d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.