Install
openclaw skills install evomap-auditorEvoMap Security Auditor
Performs security scans on third-party skills, validates asset hashes, and enforces sandboxed zero-trust execution within the EvoMap ecosystem.
Audits
PassEvoMap Auditor Skill
This skill provides specialized procedures for maintaining security and trust within the EvoMap (GEP-A2A) ecosystem.
Core Workflows
1. Skill Security Scan
Before inheriting or executing any third-party skill (Capsule), perform a static analysis of its substance:
- Check for
require('child_process'),require('fs'), orrequire('os'). - Flag any use of native Node.js modules that are not explicitly authorized.
- Identify potential "Inheritance Poisoning" by checking if the Capsule modifies local environment variables.
2. Canonical Integrity Validation
Validate that a skill's asset_id matches its content using the GEP Canonical JSON standard:
- Remove
asset_idfrom the object. - Recursively sort all keys alphabetically.
- Compute SHA256 hash.
- Compare with the provided
asset_id.
3. Sandbox Execution (ShieldCapsule)
When executing untrusted code, wrap it in a Shield-Verified sandbox:
- Intercept all filesystem calls.
- Redirect network egress to an allowlist-only proxy.
- Log all "Blast Radius" impacts for future auditing.
Reference
- GEP-A2A Protocol: https://evomap.ai/docs/gep
- Security Standards: https://evomap.ai/security