ClawHub
Back to skill

Security audit

Self Evolution Cn

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned self-improvement tooling, but it persistently records chat/tool data and can automatically change future agent behavior with broad local persistence.

Install only if you want persistent multi-agent memory and automatic behavior promotion. Before enabling it, review setup.sh and daily_review.sh, use a private SHARED_LEARNING_DIR, consider disabling AUTO_PROMOTE_ENABLED, avoid running it where chat or tool outputs may contain secrets, and periodically inspect or purge LEARNINGS.md, ERRORS.md, FEATURE_REQUESTS.md, and SOUL.md.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly requires shell execution, environment-variable access, filesystem changes, hook enablement, and cron setup, yet no explicit permissions are declared. This weakens least-privilege controls and makes the skill easier to install with capabilities broader than users may realize.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose emphasizes learning and self-improvement, but the described behavior also includes bootstrap injection, hook installation, symlink manipulation across agent workspaces, cron persistence, and scaffolding generation. This mismatch can mislead users about the actual control surface and persistence mechanisms being introduced.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The setup script performs system-wide configuration changes beyond simple learning-data setup, including installing hooks and modifying the user's crontab. For a skill described as self-evolution/learning aggregation, this expands its authority and persistence in ways that increase risk if the skill is misused, compromised, or run unintentionally.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script modifies global hook configuration and installs a recurring cron job, which creates ongoing execution and behavioral interception capability not clearly justified by the stated purpose. In agent environments, hooks and scheduled jobs are sensitive control points because they can alter future runs and persist after the user forgets the skill was installed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that it automatically inspects and records user messages and tool outputs, but it does not provide a clear privacy notice, retention policy, consent model, or guidance on sensitive-data handling. Because these records are stored in shared files, captured secrets, personal data, and command output could be retained and exposed beyond the original session.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are so broad that ordinary conversation can unintentionally activate persistent logging. In this skill's context, accidental capture is more dangerous because the hook records conversation-derived content automatically, potentially storing sensitive user statements without clear intent or consent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The condition 'detect user providing new information' is undefined and overly subjective, creating an unbounded capture rule. In a hook that auto-persists data, ambiguous activation boundaries increase the chance of storing sensitive facts, proprietary information, or personal data that happened to appear in normal dialogue.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises automatic recognition and recording but does not clearly warn users that conversation content and tool output may be persisted to local files. This weakens informed consent and can lead to silent retention of sensitive material, especially because logging occurs automatically in response to routine events.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation omits a clear warning that records may be written into a shared multi-agent directory, which materially increases exposure. In this context, data is not only persisted but potentially made accessible across agents and workspaces, amplifying confidentiality risks and cross-context leakage.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The handler persistently stores full user messages and tool arguments without notice, consent, minimization, or redaction. Because these values can contain secrets, credentials, personal data, or proprietary content, the skill can silently exfiltrate sensitive context into local/shared logs beyond the user's intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The hook automatically persists raw user messages, tool output, errors, and arguments into local/shared markdown files without consent, minimization, or redaction. In this skill's context, those values may contain secrets, personal data, credentials, file paths, prompts, or proprietary content, creating a durable privacy and data-leakage channel across runs and potentially across agents.

Vague Triggers

Medium
Confidence
79% confidence
Finding
Using a trigger condition like 'send any prompt' is overly broad for a hook that injects reminder content into agent context. In a multi-agent self-evolution system, this can cause pervasive unsolicited activation, increasing prompt-surface area, unexpected behavior changes, and the chance that sensitive or irrelevant interactions are captured or influenced.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The automatic trigger descriptions are vague, especially conditions like 'user provides new information' or 'better method detected,' which are subjective and hard to implement safely. Ambiguous heuristics in hooks can lead to over-collection, unintended activation, and context manipulation across ordinary conversations, which is more concerning in a system explicitly designed for automatic self-improvement and learning capture.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script removes existing symlinks, moves existing .learnings directories, deletes any preexisting hook directory, and rewrites cron entries without prompting the user. These destructive changes can cause data loss, break existing setups, or silently replace prior configurations, especially in multi-agent shared environments.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill describes automatic recording of learnings, errors, and feature requests across multiple agents using a shared directory. In a multi-agent shared context, this can aggregate sensitive user corrections, internal reasoning artifacts, file paths, and command/output details into a central store accessible from several workspaces.

Ssd 3

Medium
Confidence
97% confidence
Finding
The hook integration is designed to parse conversation content and tool output to automatically classify and persist corrections, gaps, errors, and requests. This creates a direct channel for sensitive conversational data and execution output to be stored automatically, potentially without context-aware filtering or user approval.

Ssd 3

Medium
Confidence
97% confidence
Finding
The event mapping explicitly reads full user-message content and full tool-output fields, which increases the likelihood of capturing credentials, proprietary text, filesystem paths, tokens, and error details. Because this is tied to logging/processing behavior, the data exposure risk is concrete rather than hypothetical.

Ssd 3

Medium
Confidence
97% confidence
Finding
The hook explicitly instructs automatic recording of full conversation context, error details, commands, inputs, and metadata into learning/error files. Given the documented support for shared learning directories and multi-agent aggregation, this creates a natural data leakage channel for secrets, personal data, proprietary prompts, filesystem paths, tokens in command output, and other sensitive operational context.

Ssd 3

High
Confidence
99% confidence
Finding
The injected bootstrap reminder instructs the agent to automatically record full conversation content, errors, and parameters into shared files. This is dangerous because it operationalizes persistent collection of potentially sensitive user and tool data across agents, increasing the blast radius and making accidental secret retention much more likely.

Ssd 3

High
Confidence
99% confidence
Finding
The message handler writes raw user content directly into persistent records whenever broad keyword heuristics match. In this skill's context, that means normal conversational corrections or clarifications can cause sensitive or private user text to be stored indefinitely, potentially in a shared directory visible to multiple agents or users.

Ssd 3

High
Confidence
99% confidence
Finding
Tool failure logging stores raw command arguments and output, both of which frequently contain API keys, tokens, file paths, proprietary code, or user data. Because the storage location may be shared across agents, a single failure can leak sensitive operational context to unrelated processes or future sessions.

Ssd 3

High
Confidence
99% confidence
Finding
The bootstrap reminder explicitly instructs the agent to automatically record full user-provided content, command context, and error data into shared learning files. Because the storage target may be a shared directory across multiple agents, this materially increases the blast radius: sensitive prompts, secrets, internal paths, and tool inputs can be retained and exposed to other agents or operators beyond the original conversation scope.

Session Persistence

Medium
Category
Rogue Agent
Content
# 启用 hook 和 cron
openclaw hooks enable self-evolution-cn
crontab -e  # 添加:0 0 * * * ~/.openclaw/skills/self-evolution-cn/scripts/trigger-daily-review.sh >> ~/.openclaw/skills/self-evolution-cn/logs/heartbeat-daily.log 2>&1
```

## 脚本说明
Confidence
92% confidence
Finding
crontab -e

Session Persistence

Medium
Category
Rogue Agent
Content
export SHARED_AGENTS="agent1 agent2"

# 创建目录和软链接
mkdir -p "$SHARED_LEARNING_DIR"
cp .learnings/*.md "$SHARED_LEARNING_DIR/"
ln -s "$SHARED_LEARNING_DIR" ~/.openclaw/workspace-agent1/.learnings
ln -s "$SHARED_LEARNING_DIR" ~/.openclaw/workspace-agent2/.learnings
Confidence
88% confidence
Finding
mkdir -p "$SHARED_LEARNING_DIR" cp .learnings/*.md "$SHARED_LEARNING_DIR/" ln -s "$SHARED_LEARNING_DIR" ~/.openclaw/workspace-agent1/.learnings ln -s "$SHARED_LEARNING_DIR" ~/.openclaw/workspace-agent

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal