Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Evolution Toolkit
v1.0.0Provides tools for agent self-improvement including session handoffs, reasoning analysis, contradiction scanning, prediction logging, playbook optimization,...
⭐ 0· 65·0 current·0 all-time
byergo@ergopitrez
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (agent self-improvement: session handoffs, contradiction scanning, prediction logging, playbook optimization, Socratic questioning, coherence analysis) matches the included scripts and protocols. The repo contains CLI Node scripts that read and write a workspace and implement the advertised features. The only external capability hinted at is optional LLM usage by the skill-optimizer (README and config.example reference GEMINI_API_KEY/GOOGLE_API_KEY), which is coherent with a generate->evaluate->improve optimizer.
Instruction Scope
SKILL.md instructs the agent/operator to set EVOLUTION_TOOLKIT_WORKSPACE and run scripts that read many workspace files (memory/, guidance files, CURRENT.md, etc.) and write imprints/reports. This is consistent with its function, but the scripts scan and can aggregate large amounts of workspace content — review what they send externally. Two significant script files (skill-optimizer.js and socratic-mode.js) were present but their full contents were truncated in the material provided; if they call LLM APIs or remote endpoints they could transmit workspace data. Scripts include clear write-access checks and exit early if workspace not writable.
Install Mechanism
There is no install spec (instruction-only install). No external archives or installers are fetched by the skill metadata. The code is shipped as local scripts to be run with node; there is no automated download-from-URL step in the registry metadata. This is low-install risk, but running the included scripts will place/read files in the chosen workspace directory.
Credentials
The declared skill requires no environment variables or credentials. The README and config.example explicitly mention optional API keys (GEMINI_API_KEY, GOOGLE_API_KEY or workspace .secrets) for the skill-optimizer — that is proportionate to an optimizer that can call external LLM services. No unrelated secrets or system credentials are requested. However, if you provide an API key, expect the optimizer to use it and potentially send workspace text to the provider; confirm what data is transmitted before supplying keys.
Persistence & Privilege
always is false and the skill does not request any elevated agent/system privileges. Scripts read/write only within the EVOLUTION_TOOLKIT_WORKSPACE and perform no modifications to other skills or system-wide configs. Autonomous invocation (model invocation enabled) is default but not combined here with always:true or extra credential access.
What to consider before installing
This toolkit appears to do what it says: it reads workspace files, analyzes reasoning and consistency, logs predictions, and can optimize playbooks — and the optimizer may use an LLM API if you supply a key. Before installing or running: 1) Inspect skill-optimizer.js and socratic-mode.js for any network calls (search for fetch/http/https/request/axios/openai/gemini/googleapis or direct URLs). 2) Run the scripts first against a disposable, read-only or isolated workspace to observe behavior; many scripts check write access and will exit if workspace is not writable. 3) If you provide an API key, assume text from your workspace may be sent to that provider — only supply keys with least privilege and for accounts you control. 4) Because the package source/homepage is not provided, prefer running it locally (not enabling always:true) and review all included files for unexpected endpoints/telemetry. If you want higher assurance, provide the missing full contents of skill-optimizer.js and socratic-mode.js for review; that would likely change the confidence to high and could move the verdict to benign if no unexpected external transmission is found.Like a lobster shell, security has layers — review code before you run it.
latestvk97ff857evfgm97sjyrj54627h83g8nw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.