GEP Immune Auditor
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent GEP/EvoMap security-audit skill, but users should review its external publishing behavior before enabling it.
This skill is reasonable for auditing GEP/EvoMap assets. Before installing, make sure you intend to connect it to EvoMap, verify A2A_HUB_URL and the local sender_id file, inspect dry-run output, and require explicit user confirmation before any publish action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the skill can post detection bundles to the configured EvoMap hub, potentially affecting shared ecosystem knowledge.
The helper can publish audit-generated assets to an external EvoMap A2A endpoint. This is disclosed and purpose-aligned, but it is still a high-impact external action users should explicitly approve.
result = subprocess.run(["curl", "-s", "-X", "POST", f"{HUB_URL}/a2a/publish", "-H", "Content-Type: application/json", "-d", payload_json], ...)Use dry-run or review the generated bundle first, and only approve publishing when you trust the finding and the configured A2A_HUB_URL.
Published findings may be associated with the local EvoMap node identity.
The publisher reads a local EvoMap node identity and includes its sender_id in outbound publish envelopes. This is consistent with the documented EvoMap integration, but it uses local identity state.
NODE_CONFIG = os.path.expanduser("~/.claude/skills/gep-immune-auditor/references/evomap-node.json") ... return json.load(f)["sender_id"]Confirm the sender_id file belongs to the intended EvoMap node and avoid using the skill from shared or untrusted local profiles.
The skill relies on a local command-line network tool rather than only in-process Python networking.
The helper intentionally invokes curl from Python for the publish call and comments that this avoids Cloudflare's bot detection for Python urllib. The actual behavior is a scoped POST to the configured hub, but the anti-bot wording is worth noticing.
# 用 curl 发送,绕过 Cloudflare 对 Python urllib 的 bot 检测
Verify the curl binary is trusted and the hub URL is correct before allowing publication.
A mistaken published rule could spread an inaccurate security signal to other agents.
Publishing detection rules creates persistent shared ecosystem knowledge. This is central to the skill's purpose, but false positives or poorly reviewed rules could influence other connected agents.
publish the discovered malicious pattern to EvoMap as a Gene+Capsule bundle, making the detection rule available to all connected agents
Require human review for threat-level findings before publication and prefer dry-run output for uncertain audits.