ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Autoresearch

v1.2.0

Karpathy-style autonomous self-research loop for AI agents. The agent proposes a change to its own SOUL.md, scripts, or behavior, tests it, evaluates the res...

0· 69·1 current·1 all-time
byDuola@duolahypercho·duplicate of @duolahypercho/content-autoresearch
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and the included scripts (prepare.py, analyze.py, evolve.py, plus helpers) are coherent: they implement a propose→implement→measure→keep/kill experiment loop that reads/writes baseline, meta, results, and experiment files. No unrelated environment variables, binaries, or external installs are requested.
!
Instruction Scope
SKILL.md/program.md instructs the agent to autonomously mutate its SOUL.md, scripts, and workspace files and to 'do NOT pause to ask permission' once running. Although the prose claims safety rails (do not mutate constitution/safety files, require human approval for external API calls), the scripts themselves do not enforce these constraints. For example, evolve.py restores files from experiments/backups/EXP-XXX/ by copying backup filenames directly to dst = filename without sanitizing or validating paths, and affected-files parsing pulls paths out of markdown links. That combination creates a risk that an experiment could stage arbitrary paths (including relative traversal) and cause the script to overwrite files outside the intended scope. The instructions also encourage modifying cron jobs, installing skills, and other actions that can have side effects outside the workspace; there is no programmatic check to block or require explicit human approval for such mutations.
Install Mechanism
No install spec or external downloads; this is an instruction-plus-source bundle. Nothing is being pulled from the network during install, which lowers supply-chain risk.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate to the stated local-workspace experimentation purpose. However, the code can mutate files and create cron jobs/skill changes per the docs, and there is no enforcement that external credentials or secrets are not modified if present in files.
!
Persistence & Privilege
always:false (not force-included) and default model invocation are unchanged, but the skill is explicitly designed to run a continuous autonomous loop and to integrate KEEP verdicts into agent files (SOUL.md, scripts, baseline.json). Because there are no strong programmatic safeguards in the code to prevent unsafe mutations or to enforce human approvals, an autonomously-invoked loop has a significant blast radius: it can write persistent changes to the agent workspace and potentially modify startup/crontab-like definitions if the agent implements them. This combination — autonomy + self-modification + lack of sanitization — is a notable risk.
What to consider before installing
This package implements an autonomous self-experimentation loop and is broadly coherent with its description, but it requires careful review and hardening before you run it on any real agent workspace. Before installing or running: - Audit evolve.py's restore/update logic. The revert/update code copies backup filenames directly to the workspace root (dst = filename) and extracts file paths from markdown. Ensure filenames are validated (no absolute paths, no '..' segments) and that only an explicit allowlist of files (e.g., SOUL.md, specific scripts) may be modified. - Require a human approval step (enforced by code) for any mutation that would: change cron jobs, install/uninstall skills, call external APIs, or touch files outside a small, explicit workspace subdirectory. - Run the tool first in an isolated test workspace or container with no sensitive files, credentials, or access to external services. Confirm dry-run behavior and use --dry-run where available. - Use filesystem permissions or OS-level sandboxing to prevent the script from overwriting system or other-agent files. - If you plan to allow autonomous runs, add code-level assurances: sanitize paths, verify affected_files are subpaths of an allowed directory, deny changes to any files matching 'constitution', 'IDENTITY', 'credentials', or other sensitive names, and log human approvals to an auditable file. What would change this assessment: explicit path-sanitization and allowlisting of modifiable files in the code, and an enforced human-approval mechanism for any external API/cross-workspace effects would reduce the risk and could make the skill 'benign'. Without those, treat it as suspicious and run only in tightly controlled, isolated environments.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cvb01yhedj7e5qqfvf142s583e5h3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments