改成 Hermes × JiuwenClaw 融合版 或 自进化多Agent协作系统
AdvisoryAudited by VirusTotal on Apr 23, 2026.
Overview
Type: OpenClaw Skill Name: hermes-jiuwen-fusion Version: 1.0.0 The skill implements a 'self-evolving' multi-agent framework that grants the agent the authority to autonomously create, modify, and persist new skill files (SKILL.md) and project memory (MEMORY.md) on the local filesystem. While these capabilities are aligned with the stated goal of a learning system, the design creates a significant attack surface for persistent prompt injection; a malicious user could potentially trick the agent into writing harmful instructions or backdoors into the skill library. The instructions in SKILL.md and README.md explicitly define these file-writing and self-modification behaviors.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may change how it or future agents behave based on its own summaries or error analysis, even if the user did not review the new or edited skill text.
The skill directs the agent to create new skills and modify existing skill definitions as part of normal operation. These changes persist and can alter future agent behavior, but the artifact does not require user approval, a diff review, backups, or rollback.
PM 生成 SKILL.md 模板 → 写入 .workbuddy/skills/<skill-name>/SKILL.md ... 定位相关 SKILL.md ... 修改 SKILL.md
Require explicit user approval before every skill creation or edit, show a diff, keep backups/version history, and limit writes to a user-approved project directory.
Private project details, preferences, mistakes, or task summaries may be stored and later reused by the agent, potentially carrying forward sensitive or incorrect information.
The skill instructs the agent to read and write persistent project memory and task summaries across sessions. The artifacts do not define retention, cleanup, sensitive-data exclusions, user approval, or safeguards against poisoned or incorrect memory being reused.
每次会话开始,先读 L2 项目记忆 ... 任务完成后,将值得保留的经验写入 L2 ... 压缩写入一个临时摘要文件(如 .workbuddy/tmp/task-summary.md)
Ask the user before saving memory, clearly list what will be stored, exclude secrets and private data, provide deletion controls, and validate memory before reusing it.
Information from the conversation or project may be shared with subagents during the workflow.
The skill is designed to spawn executor, supervisor, and QA subagents and pass them self-contained task context. This is purpose-aligned, but users should recognize that necessary context may be copied into subagent tasks.
"task": "完整的、自包含的任务描述(含所有必要上下文)", "sessionKey": "executor"
Minimize sensitive context in spawned tasks and require confirmation before delegating tasks that include secrets, private files, or high-impact actions.