Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Self Evolve
v1.0.2Autonomous self-evolution skill by Automaton. Grants agent full authority to modify its own configuration, skills, prompts, AGENTS.md, SOUL.md, memory files...
⭐ 0· 177·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (self-evolution, modify own config/skills/prompts/memory) align with the SKILL.md and included scripts (backup and rollback) — those artifacts exist and support the claimed purpose. However, there is an inconsistency: SKILL.md explicitly allows editing system configuration (e.g., ~/.openclaw/openclaw.json) while SAFETY-PROTOCOL.md later forbids modifying gateway core configuration / certain key fields. Also the skill promises ‘WITHOUT asking for confirmation’ but the docs enumerate many cases that require confirmation. That mismatch between 'always modify without asking' and the listed exceptions is an incoherence the user should notice.
Instruction Scope
The runtime instructions authorize broad actions beyond simple in-place tuning: editing any workspace file, creating/deleting skills under skills/, running bash commands, using curl to access the network, installing tools/dependencies, and publishing to ClawHub via npx. Those are coherent with a self-evolution goal, but they grant the agent the ability to (a) change other skills and system config, (b) push code externally (which could leak data or publish malicious code), and (c) execute arbitrary shell/network commands. The instructions also reference absolute local paths (C:\Users\Administrator\.openclaw\workspace), implying workspace-wide access. The docs claim backups/rollback mitigate risk, but the operational rules are broad and include several exceptions that rely on the agent’s judgment — this is a large scope for an autonomous agent.
Install Mechanism
No install spec — instruction-only with two small helper scripts for backup/rollback. That reduces direct install-time risk (no remote downloads or package installs bundled).
Credentials
The skill requests no environment variables or credentials, which superficially limits its access. But its capabilities (run curl, publish with npx, edit ~/.openclaw/openclaw.json, create/publish skills) imply it can interact with external services and system configuration without explicitly declaring required credentials. The absence of declared credentials is surprising given the 'npx clawhub publish' step (which typically requires auth). That mismatch is a proportionality/information gap: either the skill relies on environment-level credentials not declared, or it expects to prompt for/obtain credentials at runtime — both raise operational questions.
Persistence & Privilege
The skill does not set always:true, but it explicitly grants the agent authority to modify persistent agent configuration, cron jobs, other skills, and to install/enable new capabilities. Those are high privileges: an autonomous invocation combined with write/publish power gives a large blast radius. While the skill includes backup and rollback helpers, those do not materially limit the agent from changing system behavior, exfiltrating data, or publishing changed skills externally. This level of persistent control over the agent/skill ecosystem is a significant privilege and should be constrained.
What to consider before installing
This skill is coherent with its stated goal of self-modification, but it grants very broad powers (edit any workspace file, change system config, run shell/network commands, create and publish skills) and includes contradictory guidance about what must be confirmed. Before installing: 1) Do not install on production or an environment with access to secrets; run in an isolated sandbox. 2) Require explicit, auditable user confirmations for any change to core/system files or for publishing to external registries. 3) Restrict network access (block curl/publish) or require credentials be absent/blocked if you don't want external publishing. 4) Limit file-system permissions so the skill cannot modify sensitive files outside a designated workspace. 5) Audit logs and automated alerts: ensure all changes are logged and you receive notifications. 6) Review/update the safety protocol to remove contradictions (decide whether editing ~/.openclaw/openclaw.json is allowed and which fields are forbidden). If you cannot enforce these mitigations, avoid installing or enable only under strict human oversight.Like a lobster shell, security has layers — review code before you run it.
latestvk97asjtf4cqc1vccwh7hnczw1d83hhx3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧬 Clawdis