Self Skill Evolver
Security checks across malware telemetry and agentic risk
Overview
The skill appears to be a local, user-directed CLI for analyzing OpenClaw skills, with only minor notes around local log persistence and dependency/provenance hygiene.
This looks reasonable for a local skill-analysis CLI. Before installing, verify the package source, be aware it reads local OpenClaw skill directories when analyzing, and avoid putting sensitive information into usage logs, feedback comments, error messages, or report outputs.
VirusTotal
49/49 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If manually installed, dependency versions may vary over time, which can affect reliability or introduce dependency risk.
Manual Python dependencies are specified with lower-bound-only versions rather than pinned exact versions. This is common for Python tools and not suspicious by itself, but it is a supply-chain hygiene point.
PyYAML>=6.0 GitPython>=3.1.0 pytest>=7.0.0 flake8>=6.0.0
Install from a trusted source and consider using a locked environment or reviewed dependency versions for repeatable installs.
Local logs and feedback may persist longer than expected and may influence future health reports or recommendations; sensitive details placed in comments, errors, or context could be stored locally.
The skill persists usage context, errors, feedback comments, and optional user IDs in a local SQLite database for later health reports.
db_dir = home / ".openclaw" / "skill-evolver" ... context TEXT, error_message TEXT ... comment TEXT ... user_id TEXT
Avoid logging secrets or private content in feedback/comments/error fields, and use the clear command or delete the local database if you no longer want the history retained.