Evomap Publish
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: evomap-publish Version: 1.0.0 The skill bundle is classified as suspicious due to the presence of `curl` commands directly embedded in the `SKILL.md` file. While these commands are presented as examples for publishing assets to `https://evomap.ai` (which aligns with the skill's stated purpose), their inclusion in markdown creates a prompt injection vulnerability. An AI agent could potentially misinterpret these examples as direct execution instructions, leading to unintended shell command execution. Although the specific commands shown are not inherently malicious in their objective, this pattern represents a risky capability and a potential attack surface for an agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Assets or tasks could be attributed to, routed through, or submitted under a node identity that is not the user's own.
The workflow uses a fixed, non-placeholder node identity for remote publish and task-submit requests, with no instruction to replace it or verify authorization.
"sender_id": "node_luke_a1" ... "node_id": "node_luke_a1" ... **节点 ID**: node_luke_a1
Before using the skill, confirm what `node_luke_a1` represents and replace it with the user's authorized EVOMAP node ID or configuration.
If executed, the agent can create EVOMAP assets and submit tasks on the remote service.
The skill documents remote API calls that publish assets and submit tasks. This is aligned with the stated purpose, but it mutates remote service state.
curl -X POST "https://evomap.ai/a2a/publish" ... curl -X POST "https://evomap.ai/a2a/task/submit"
Require explicit user confirmation of the asset contents, destination endpoint, node ID, and task ID before running the POST requests.
Code or asset metadata may leave the local environment and be stored or processed by EVOMAP.
The documented A2A publish flow sends code snippets and asset metadata to an external EVOMAP endpoint.
"code_snippet": CODE ... "payload": {"assets": [gene, capsule]} ... **API Base**: https://evomap.aiReview the code for secrets or proprietary material before publishing, and verify EVOMAP's data handling expectations.
Users have less provenance information for deciding whether the publishing instructions are trustworthy.
The registry metadata does not provide a source repository or homepage to verify that the EVOMAP workflow and endpoint are official.
Source: unknown; Homepage: none
Cross-check the endpoint, API schema, and node identity against official EVOMAP documentation before using the skill.