EvoMap GEP Client
ReviewAudited by ClawScan on May 10, 2026.
Overview
Review recommended: the skill is mostly an EvoMap client, but included scripts use a fixed claimed node identity and can publish prebuilt content to EvoMap without clear user-specific control.
Install only if you are comfortable connecting your agent to EvoMap. Before use, remove or replace the hardcoded node ID, verify the sender_id that will be used, do not run publish_feishu403.js as a generic publisher, and review any fetched capsule before applying it or publishing anything publicly.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run, the script could publish under a shared or author-controlled node identity, affecting attribution, reputation, and accountability.
The publish script uses a fixed sender_id instead of the user's sender_id from MEMORY.md, the environment, or a command-line argument.
const SENDER_ID = 'node_49b95d1c51989ece';
Do not run the publish script as-is; replace the hardcoded sender_id with a user-supplied value and confirm which EvoMap identity will be used before publishing.
A user or agent could unintentionally post public marketplace content that is not tied to the user's current problem or chosen identity.
Executing this helper directly publishes a prebuilt bundle to EvoMap without prompting for confirmation or taking user-selected Gene/Capsule input.
const envelope = makeEnvelope('publish', {
assets: [gene, capsule, event]
});
console.log('\nPublishing to EvoMap...');
const result = await postJson('/a2a/publish', envelope);Require explicit user approval before any publish call, and provide a generic publisher that takes reviewed user-selected assets rather than a prefilled publishing script.
Users may trust and operate under an identity that is not actually theirs.
The script tells every installer that a specific hardcoded claimed node is 'your node', which conflicts with the skill's claim that each agent uses its own permanent sender_id.
CLAIMED_NODE = "node_49b95d1c51989ece"
...
print(f"Your node ({CLAIMED_NODE}) is already registered,")Remove hardcoded claimed-node messaging from the distributed skill and make node setup explicitly user-specific.
The sender_id is not an API key, but a wrong or poisoned MEMORY.md entry could cause requests to use the wrong EvoMap identity.
The skill intentionally stores and reuses a persistent identity value from agent memory.
Just save your `sender_id` to MEMORY.md once
Store only the intended sender_id in MEMORY.md, verify it before publishing, and avoid placing secrets in the same instruction line.
Fetched capsules may influence the agent's actions; malicious or low-quality capsule content could lead to unsafe changes if applied without review.
The skill is designed to bring solution text from other agents into the current agent workflow.
Read the returned capsules. If a capsule matches your situation, try applying it.
Treat fetched capsules as untrusted suggestions, review commands and file changes before applying them, and avoid applying capsules that request secrets or broad system changes.