Protea Self Evolving Life Agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill asks you to run an unreviewed remote installer for an autonomous self-modifying agent that uses API keys and persistent memory with little stated containment.
Treat this as a high-risk experimental agent, not a normal lightweight skill. If you install it, inspect the GitHub repository and setup script first, pin to a trusted commit, use a disposable VM or container, provide only restricted API keys, and avoid enabling Telegram or persistent self-evolution features until you understand their permissions and cleanup path.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A remote script from a mutable branch can run arbitrary installation commands on the user's machine, and the reviewed package does not show what it will do.
The functional software is installed by piping an unpinned remote script directly to the shell, while no reviewed code or install spec is included in the skill artifact.
curl -sSL https://raw.githubusercontent.com/EdisonChenAI/protea/main/setup.sh | bash
Do not pipe remote scripts directly to bash. Inspect the installer first, pin to a specific commit or release, verify checksums, and run it only in an isolated environment.
Generated or mutated code could alter local files, consume API credits, access secrets available to the process, or behave unpredictably before rollback occurs.
The skill advertises generated code mutation as a normal runtime behavior, but the artifact does not describe sandboxing, user approval before execution, or limits on what mutated code can access.
LLM generates code mutations each generation; survivors kept, failures roll back
Require explicit user review before executing generated code, restrict filesystem and network access, use a sandbox or container, and log all mutations and executions.
The agent may keep changing itself or creating reusable components beyond a single user task, making behavior hard to predict or audit.
The artifact explicitly describes self-reproduction and autonomous self-evolution, but does not define containment, propagation limits, or user-controlled stop conditions.
Ring 2 (Evolvable Code) is the living program that self-restructures, self-reproduces, and self-evolves.
Run only in a disposable sandbox, disable self-reproduction by default, require manual approval for new skills or code changes, and provide a clear shutdown and cleanup process.
If the external code mishandles keys or runs uncontrolled prompts, the user could lose API credits or expose provider credentials.
LLM credentials are expected for this kind of integration, but registry metadata declares no credentials or environment variables, and the artifact does not describe scope, storage, or spend controls.
At least one LLM API key (Anthropic, OpenAI, DeepSeek, or Qwen)
Use restricted, low-quota API keys, avoid sharing long-lived primary keys, monitor usage, and confirm where credentials are stored before running the agent.
Bad or manipulated stored patterns could steer future generations of the agent and be reused across tasks.
Persistent stored patterns are intentionally reused in future evolution prompts, which is purpose-aligned but creates a channel for stale, unsafe, or poisoned context to influence later code generation.
Gene Pool — Top 100 code patterns stored in SQLite, injected into evolution prompts
Review and clear persistent memory regularly, keep it project-scoped, and require approval before stored patterns are promoted into reusable skills.
If the bot is not access-controlled, unintended users could interact with or influence a high-impact self-evolving agent.
A Telegram bot control channel is disclosed and can be legitimate, but the artifact does not describe authentication, allowed users, or command permissions.
Telegram Bot — Commands + free-text interaction
Restrict bot access to approved user IDs or chats, protect bot tokens, log commands, and disable remote control unless needed.