Back to plugin

Security audit

Principles Disciple

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate but very powerful agent-governance plugin that persistently changes workspace and agent state, so it should be reviewed before installation.

Install only if you want a high-authority agent framework that can persist memory, profile you, hook tool/model activity, and modify workspace/OpenClaw state. Review the enabled features, keep a clean git working tree, disable background/internalization features unless needed, and treat self-update, feedback delivery, tool installation, and daemon workflows as explicit opt-in operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (68)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill's `repair` function includes destructive actions such as deleting marker files and modifying workspace structure, but it does not require explicit user confirmation before performing them. In an administrative skill, this is especially risky because users may invoke repair expecting diagnostics, while the skill is instructed to make state-changing deletions automatically, which can erase forensic or workflow state and cause unintended system changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to modify repository files under `.claude/agents/*.md` as a side effect of installing tools, but it does not require a clear, explicit warning that repository-controlled files will be edited. This is dangerous because it expands from environment setup into persistent prompt/configuration changes that can alter future agent behavior, create noisy or unauthorized diffs, and potentially affect all agents in the repo.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is framed as a review/audit tool, but its final action instructs the agent to modify `AUDIT.md`, which crosses from analysis into side-effectful file editing. In an agent setting, this can let an ostensibly advisory skill overwrite or inject audit results, create misleading records, or alter files outside a pure review workflow, especially if the reviewed content is adversarial or the target file is consumed by later automation.

Self-Modification

High
Category
Rogue Agent
Content
disable-model-invocation: true
---

# /evolution-framework-update: Evolution Framework Self-Update

> ⚠️ **High-Risk Operation Warning**: This skill pulls and executes latest code from the upstream repository (Hooks, Skills, Agents, Daemon), which may overwrite local configuration and personalization. Before running, ensure all local changes are committed (`git status` should be clean) and `.principles/` and `memory/` directories are backed up.
>
Confidence
98% confidence
Finding
Self-Update

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description says it will 'Run the full evolution loop' without clear trigger boundaries or scope constraints, which encourages broad invocation for many task types. In context, the workflow includes code execution, remote queries, delegation, file writes, and persistence steps, so a vague top-level trigger increases the chance the skill is invoked inappropriately for sensitive or low-trust tasks.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill mandates writing a user performance/profile assessment to `.state/.user_verdict.json` without prior notice, consent, or data-minimization limits. Persistent storage of behavioral judgments about the user creates privacy risk, potential surveillance, and secondary misuse, especially because the write is framed as mandatory and incremental.

Ssd 3

Medium
Confidence
99% confidence
Finding
The instructions explicitly direct persistent profiling of the user's instruction quality, knowledge, preferences, and 'characteristics' based on task interactions, then store the result in a dedicated verdict file. This is a concrete user-profiling mechanism, and the mandatory, incremental nature makes it more dangerous because it can accumulate sensitive inferences over time without transparency or user control.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mandates writing interview results to `memory/STRATEGY.md` without first obtaining explicit user confirmation or warning that persistent project files will be modified. Because the interview may capture sensitive business strategy, goals, or internal constraints, automatic persistence can create unintended data retention and repository contamination risks, especially if the memory directory is tracked or later shared.

Ssd 4

High
Confidence
98% confidence
Finding
This skill is explicitly designed to persist arbitrary user-provided rules into shared cross-session memory, which can permanently alter future agent behavior without validation, scoping, approval, or expiration. That creates a durable prompt-injection and policy-bypass mechanism: a malicious or careless user can implant harmful instructions that influence unrelated future sessions and are easy to overlook once stored.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill’s trigger conditions include very common troubleshooting phrases such as 'find related files' and 'check the logs,' which can cause the skill to activate in many ordinary diagnostic contexts. Because the skill is designed for broad evidence collection and suggests filesystem and log searching, overly broad invocation increases the chance of unnecessary access to sensitive files, logs, or configuration data beyond the user’s intended scope.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger conditions are broad enough that normal user requests like 'implement this' or any bug-fix scenario could invoke the skill without a narrowly scoped approval boundary. Because the skill is designed to modify code and its metadata disables model invocation, unintended activation could lead to code changes being executed with insufficient user confirmation or contextual review.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill performs potentially sensitive actions—code modification, backups, testing, documentation changes, and commits—but does not prominently warn users about these side effects at the skill description/interface level. This increases the chance that users invoke the skill without informed consent, especially in environments where file changes, test execution, or commit creation have operational consequences.

Vague Triggers

High
Confidence
97% confidence
Finding
The skill description contains very broad trigger phrases such as 'how to use', 'what can you do', and 'help me out', which are common in ordinary conversation and can cause the skill to activate unexpectedly. Because this skill recommends operational commands and guidance flows, accidental invocation can steer users into unrelated actions or interfere with other, more appropriate skills.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The scenario trigger examples for new project initialization are loosely phrased and insufficiently scoped, so ordinary project-related conversation could match even when the user is not asking for this skill. This increases the chance of unsolicited command recommendations and context confusion rather than direct code execution, but it still represents unsafe activation design.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Bug-fix triggers like 'there's a bug', 'got an error', and 'something's wrong' are extremely generic and likely to collide with normal troubleshooting language across many contexts. In a multi-skill environment, this can cause the skill to intercept unrelated support requests and push users toward status or evolution commands that may expose internal workflow details or distract from the correct remediation path.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Daily review triggers such as 'what did I do today', 'check progress', and 'give me a report' are generic productivity phrases that can easily appear in unrelated conversations. This can lead to accidental activation and unnecessary disclosure or emphasis on internal trust score and status concepts that are not relevant to the user's actual intent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Permission and security trigger phrases like 'blocked', 'not enough permissions', and 'security level' are common across many systems, making unintended activation likely. In this skill, accidental activation is more concerning because it directs the user toward trust score and security stage concepts, which could normalize or reveal internal permission mechanics in contexts where they should not be surfaced.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Tool-upgrade triggers such as 'want to upgrade tools' and 'tech stack update' are broad and can match many ordinary engineering discussions. While the immediate effect is guidance rather than direct execution, the skill may still intrude on unrelated conversations and recommend environment scanning or research actions outside the intended scope.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger conditions are overly broad and include common phrases such as 'help me plan' and 'draft a proposal,' which can cause the skill to activate in many unrelated contexts. Because this is a planning skill that structures downstream actions, unintended activation could steer conversations, override more appropriate tools, or cause execution plans to be generated for sensitive or risky tasks without sufficient contextual checks.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description uses broad natural-language trigger wording such as 'correct or update the user's expertise profile' and 'I am an expert in X,' which can overlap with ordinary conversation. This increases the chance of accidental invocation during benign chat, causing profile changes the user may not have intended to persist.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs writing an incremental evaluation to a hidden state file (.state/.user_verdict.json) that changes stored profile data, but the user-facing message only says changes take effect later and does not clearly disclose that persistent hidden state is being modified. Hidden persistence affecting future behavior is security-sensitive because it can alter downstream model decisions without informed user consent or clear auditability.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is broadly framed as a general-purpose 'final task reflection and evolution logging' capability without clear trigger boundaries or user-consent requirements. That makes it easy for an agent to invoke this skill in many contexts, including ones where writing persistent memory, profiles, or verdict files would be unexpected, increasing the risk of unauthorized state modification and behavioral drift.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs the agent to append to and overwrite multiple persistent files such as memory logs, profile configuration, and verdict/state files, but it provides no user-facing warning, confirmation gate, or scope limitation. In context, this is more dangerous because the files influence future behavior and memory, so a routine invocation could silently alter long-term agent state, create persistence for bad data, or weaken safeguards by changing profile guard settings.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a reflection aid, but it instructs the agent to write to persistent files such as `memory/ISSUE_LOG.md` and `memory/.scratchpad.md`. This creates a scope mismatch where a seemingly analytical skill can mutate local state, which is risky because it may cause unintended persistence, tamper with future agent behavior, or modify user data without explicit consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The markdown directs the agent to write to persistent memory files without any warning, approval step, or disclosure that local data will be modified. In an agent system, silent persistence is dangerous because it can store misleading state, leak sensitive task context into durable files, and influence later runs in ways the user did not request or notice.

VirusTotal

1/60 vendors flagged this plugin as malicious, and 59/60 flagged it as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/sync-plugin.mjs:209
Evidence
const npmVersion = execSync('npm --version', { encoding: 'utf-8' }).trim();

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/bundle.js:2
Evidence
var u$t=Object.create;var R7=Object.defineProperty;var l$t=Object.getOwnPropertyDescriptor;var p$t=Object.getOwnPropertyNames;var d$t=Object.getPrototypeOf,m$t=...