ClawHub

Evoclaw

Security checks across malware telemetry and agentic risk

Overview

EvoClaw is openly a self-evolving agent identity system, but it defaults to broad persistent memory, automatic self-modification, and risky credential/setup behavior that needs careful review.

Install only if you intentionally want an agent that keeps durable conversation memory and evolves its own identity over time. Prefer supervised governance before first use, review any AGENTS.md, HEARTBEAT.md, SOUL.md, memory, and source-reference changes, avoid pasting raw API tokens, and do not run the visualizer server on an exposed interface unless its write endpoint is protected or disabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The visualizer section is internally contradictory: it says the tool is read-only, but also describes an edit mode that can modify bullets, toggle tags, and save an updated SOUL.md. That kind of mismatch can cause an agent or operator to trust a tool as non-mutating when it actually performs writes, undermining change-control and safety assumptions around identity files.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guide instructs the agent to take a user-pasted API key and persist it into shell startup files automatically. That creates long-lived credential exposure, modifies the host environment beyond the skill's narrow configuration needs, and can leak secrets to other processes, shells, backups, or users without explicit informed consent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This similarly directs the agent to persist an X bearer token into shell profile files and export it into the current session. Persisting bearer tokens in plaintext shell init files is a risky credential-management action that is broader than needed for a setup guide and may expose high-value API access long after installation.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The document instructs the agent to change the platform-wide default agent and restart the gateway, which is an administrative action affecting global runtime behavior. This exceeds the principle of least privilege for a skill installer and can disrupt other agents, services, or workflows on the host.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This section explicitly instructs the agent to extend its own capabilities by learning arbitrary new external sources, then persist those changes into reference, config, and state files so future runs will automatically poll them. That creates an unsafe self-modification pathway where untrusted user-provided API details can become durable behavior, expanding external access and data flow without a separate trust review.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The generated UI explicitly offers in-browser editing and saving of SOUL.md while the reconstructed file text claims direct edits are not permitted outside the proposal pipeline. This mismatch undermines integrity controls and can mislead users or downstream automation into trusting a governance model that the tool itself bypasses.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes an `autonomous` mode where the agent automatically applies self-evolution changes to mutable state and files, while only noting that the user is 'notified' afterward. That is a meaningful safety risk because users may enable or inherit this default without understanding that the system can modify its own behavior and persisted state with limited human review.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs pervasive logging of user conversations, including preferences, emotions, corrections, and relationship dynamics, into durable files without any clear consent, minimization, or retention safeguards. This creates a privacy and surveillance risk because highly sensitive personal data may be persistently stored and later exposed, searched, or repurposed beyond the user's expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to poll external services and store feed/search results locally, including keyword-based discovery, but does not present a clear user-facing disclosure covering network access, third-party data collection, and retention. This can lead to silent external communication and accumulation of externally sourced content in local memory without transparent authorization boundaries.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells the agent to auto-save pasted credentials persistently without clearly warning the human that the secret will be stored in plaintext shell profile files. This undermines informed consent and increases the chance of accidental credential retention, disclosure, or reuse across unrelated contexts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This repeats the same unsafe secret-handling pattern for X bearer tokens. Users are not adequately informed that pasted credentials will be written into startup files, making the setup flow deceptive and materially increasing credential exposure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly recommends enabling `includeReasoning: true`, which can expose chain-of-thought-style reasoning, internal decision data, and sensitive context in heartbeat transcripts or logs. In a debugging document this is understandable, but without a strong warning about confidentiality, retention, and disabling it after use, operators may unintentionally leak secrets or sensitive agent state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file directs immediate writes to local memory files during ingestion without any consent, review, or safeguard around what is being persisted. Persisting external content automatically can poison memory, create durable prompt-injection footholds, and modify local state in ways the operator may not expect.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This section instructs direct edits to references, config, and state files as part of normal operation, again without requiring explicit operator confirmation. Because the edits are based on user-supplied API docs and configuration, this creates a durable configuration-injection path that can alter future behavior and broaden the agent's external access surface.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The local HTTP server exposes a POST /save-soul endpoint that overwrites SOUL.md with arbitrary request body content and performs no authentication, CSRF protection, origin validation, or confirmation step. Any process or webpage able to reach the local server could trigger unauthorized modification of the workspace file, compromising data integrity.

Ssd 3

High
Confidence
98% confidence
Finding
The skill repeatedly instructs comprehensive preservation of conversation content and metadata, including sensitive human attributes and interpersonal context, as append-only durable memory. The combination of aggressive collection, persistent storage, and broad scope materially increases the chance of sensitive-data exposure through compromise, misuse, over-retention, or unintended downstream processing.

Ssd 3

High
Confidence
97% confidence
Finding
The memory-flush workflow tells the agent to store 'everything worth remembering' into two persistent memory systems, increasing duplication and broadening the exposure surface for sensitive session content right before context loss. Duplicating data across structured JSONL and markdown stores magnifies leakage and retention risk, especially because the instruction is expansive and not bounded by sensitivity or consent checks.

Ssd 3

High
Confidence
95% confidence
Finding
These instructions normalize broad default logging of substantive exchanges, feedback, preferences, and other user-provided information into persistent memory files. That creates a significant privacy and data-retention risk because sensitive conversations may be captured by default without minimization, purpose limitation, or consent boundaries.

Ssd 3

High
Confidence
94% confidence
Finding
The heartbeat workflow instructs the agent to review recent conversations and harvest memory files into structured logs automatically. This encourages bulk retention and secondary processing of user interactions, increasing privacy risk and the chance of storing sensitive information outside the user's expectations.

Ssd 4

Medium
Confidence
88% confidence
Finding
The opening text explicitly reframes the document as addressing the AI agent, then establishes an identity-centric narrative that encourages self-modification and broader autonomy over memory, governance, and behavior. In skill context, this is risky because it is a prompt-level persuasion technique designed to weaken normal operator expectations and increase compliance with expansive instructions later in the file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal