Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skill
v0.1.1Make your agent get better on its own. Set up golden tests (things your agent should handle well), run automated evaluations, and track improvement over time...
⭐ 0· 120·1 current·1 all-time
byDario Zhang@dario-github
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description match the included functionality (golden tests, ablation, automated evaluation). However the SKILL.md explicitly says an 'LLM API key for evaluation judging' is required but the skill metadata lists no required environment variables or primary credential — this is an inconsistency that should be clarified (what env var or secret name should hold the API key?). Python ≥3.11 is demanded in text but registry only required 'python3' (version mismatch).
Instruction Scope
The instructions show experiments that can remove files (example condition: remove ['memory/*.md']) and run automated improvement loops; that implies the tool will read, modify, and potentially delete user agent config and data files. The SKILL.md is vague about how 'targeted fix' actions are applied and what safeguards exist — vagueness grants broad discretion to modify user files. If you rely on those files, backing them up and auditing the code is important.
Install Mechanism
Install script clones https://github.com/dario-github/agent-self-evolution and runs pip install -e . — using an official GitHub URL (expected) but pip-installing remote code executes arbitrary setup code from that repo. This is a standard but inherently moderately risky install pattern; you should review the repository contents (setup.py/pyproject and package code) before running.
Credentials
The SKILL.md requires an LLM API key for evaluation, but the skill declares no required env vars or primary credential. This mismatch means the skill expects secrets but doesn't tell you which env var or secret to supply. The install script reads one optional env var (EVOLUTION_INSTALL_DIR) only. The undocumented requirement for an LLM key is disproportionate unless the skill names the expected credential variable and justifies access.
Persistence & Privilege
always:false (good) and user-invocable is normal. The install writes to ~/.agent-self-evolution by default and pip-installs the package into the environment, giving the skill persistent code on disk. Combined with instruction-level capabilities to remove or modify user files during ablation experiments, this level of persistence and write access is notable — back up your agent config and data and consider installing in an isolated environment.
What to consider before installing
Before installing: (1) Review the GitHub repository contents (setup.py/pyproject, top-level package code) to ensure there are no surprises. (2) Confirm how the LLM API key should be provided (which env var or config) — the SKILL.md mentions a key but the skill metadata does not declare one. (3) Backup any agent config, memory files, or data the tool might touch; ablation examples show it can remove files (e.g., memory/*.md). (4) Run the install in an isolated environment (virtualenv or throwaway VM/container) to limit impact of pip-installing remote code. (5) If you need to trust the project long-term, verify the maintainer and consider auditing or pinning a specific release commit rather than repeatedly cloning master.Like a lobster shell, security has layers — review code before you run it.
latestvk97fs67s22e4e6pervfahd2wes83karr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3