AI持续学习系统
PassAudited by VirusTotal on May 2, 2026.
Overview
Type: OpenClaw Skill Name: idle-learning Version: 1.0.0 The bundle implements an automated 'idle learning' system that fetches data from GitHub and arXiv. It exhibits several high-risk behaviors, including executing a local binary via subprocess.run (/root/.nvm/versions/node/v22.22.2/bin/mmx), accessing system-level directories outside the skill's scope (/root/.openclaw/workspace/queue), and performing external network requests to GitHub and arXiv APIs. While these capabilities are plausibly required for the stated purpose of a continuous learning agent, the use of hardcoded root paths and direct binary execution meets the threshold for a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If scheduled, the skill may run repeatedly without prompting, consuming resources and updating learning files over time.
The skill advertises recurring unattended learning behavior. The provided code does not install cron jobs, so this is a disclosed operational model rather than hidden persistence, but users should verify any scheduler they enable.
| `idle_learning` | 每小时xx:00 | 整点自动学习GitHub趋势 |
Only enable cron or background scheduling intentionally, document how to disable it, and periodically review the generated learning files.
Automatically saved notes could become stale, inaccurate, or influenced by untrusted public content if the agent later treats them as reliable memory.
The script stores fetched findings and summaries persistently. Those findings come from public GitHub/arXiv content, which is purpose-aligned but still untrusted if later reused as agent memory.
notes.insert(0, note)
notes = notes[:50] # 保留最近50条
with open(note_file, 'w') as f:
json.dump(notes, f, ensure_ascii=False, indent=2)Treat generated learning notes as unverified research notes, review them before using them as long-term memory, and avoid mixing them with sensitive personal or business memory.
Running the skill may execute the local mmx CLI and use whatever model/provider configuration is attached to it.
The skill invokes a local mmx command to summarize fetched content. This is directly related to the stated summarization purpose and does not use shell=True, but the dependency and model backend should be trusted.
subprocess.run(
['/root/.nvm/versions/node/v22.22.2/bin/mmx', 'text', 'chat',
'--model', 'abab6.5-chat', '--message', prompt, '--output', 'json'],Confirm the mmx binary path and model configuration are trusted, and be aware that summaries may be sent to the configured model backend.
The skill may fail or behave differently depending on what local packages and binaries already exist in the environment.
The registry does not declare runtime setup, while the code depends on Python modules and a hard-coded mmx binary. This is an under-declared dependency issue rather than evidence of malicious behavior.
No install spec — this is an instruction-only skill. Required binaries (all must exist): none
Before use, verify Python dependencies such as feedparser and the mmx CLI are installed from trusted sources and match the expected paths.