Evolve
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is review-worthy because it can generate and promote active skills through an unreviewed local controller script, with little documented scoping or approval control.
Only install this if you already know and trust the local evolvectl.sh it will run. Before using promote, manually inspect generated skill changes, run tests, confirm the exact EVOLVECTL path, and make sure rollback has been tested.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly or if the controller behaves unexpectedly, the skill could install or activate changed skills that affect future agent behavior.
The skill explicitly describes a loop that can promote generated candidates into active skills, which can mutate the user's agent environment. The artifacts do not define approval gates, review requirements, path limits, or promotion safeguards.
- snapshots current status - generates candidates - tests candidates - promotes candidates into active skills - supports rollback
Require explicit user confirmation before promotion, show diffs and test results, restrict writable locations, document rollback guarantees, and prevent autonomous promotion without user review.
Users cannot verify from this package what code will generate, test, promote, or roll back skills; a wrong or unexpected EVOLVECTL path could run different local code.
The main behavior is delegated to a local script that is not included in the reviewed files, and an environment variable can change which script is used. That leaves the actual high-impact implementation outside the reviewed artifact set.
This skill delegates to a local controller script (`evolvectl.sh`). You can override its location with `EVOLVECTL`.
Package or pin the controller script, declare it as a required dependency, validate the controller path or checksum, and document exactly what the controller is allowed to change.