Evolver

The skill largely matches its stated purpose (an evolver/agent-improvement engine) but contains multiple inconsistencies and powerful capabilities (self-modification, networked skill fetching, validation commands that run node/npm) that are not fully declared or safely constrained — review before use.

This package implements a powerful self-evolution engine and is not purely 'instruction-only' despite registry metadata. Before installing or enabling it: 1) Do not provide sensitive tokens (GITHUB_TOKEN, GH_TOKEN, etc.) unless you understand and trust the publisher. 2) Avoid enabling WORKER_ENABLED or EVOLVE_ALLOW_SELF_MODIFY in production; run first in an isolated environment (vm / container) with limited network and no secrets. 3) Audit the solidify/validation code path: validation commands are allowed to run node/npm which can execute arbitrary JS and access environment variables and files — that is the primary risk vector for exfiltration or undesired changes. 4) If you must use network features, prefer offline/local mode (no A2A_HUB_URL) and read-only filesystem for repo code to prevent automatic writes to src/**. 5) If you need to accept external assets or fetch skills, require strict manual review and keep EVOLVE_ALLOW_SELF_MODIFY=false. Finally, ask the publisher to reconcile the registry metadata and SKILL.md (declare all required env vars and config paths) and to document any automatic write/solidify behavior in a clear, auditable way.