ClawHub
Back to skill

Security audit

Evoclaw Local

Security checks across malware telemetry and agentic risk

Overview

This is a real self-evolving agent framework, but it asks for unusually broad persistent control over agent behavior, memory, credentials, and local files.

Install only if you intentionally want an agent identity system that persistently records conversations, edits agent behavior files, and may connect to external feeds. Use supervised/approval governance, disable external sources by default, avoid pasting raw API tokens, review every SOUL.md/AGENTS.md/HEARTBEAT.md diff, and treat the visualizer as a direct editor rather than a read-only viewer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document creates a contradictory trust boundary around the visualizer: it says the dashboard edit mode can modify SOUL.md, then later claims the tool is read-only and never modifies the workspace. Misrepresenting mutability is dangerous because an agent or user may invoke the tool believing it is safe for inspection only, when it can actually alter persistent identity files. In a skill centered on self-modification, that inconsistency materially increases the risk of unauthorized or accidental changes.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs the agent to take raw third-party credentials supplied in-chat and persist them into shell startup files, then export them for the current session. This creates durable secret storage outside the skill's own config boundary, increases blast radius if the account or host is later compromised, and normalizes credential handling without explicit informed consent or least-privilege controls.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guide directs the agent to inspect and modify global OpenClaw configuration, switch the default agent, and restart the gateway. Those are broad administrative actions affecting system-wide behavior beyond the narrow setup of a single skill, and they can disrupt other agents or workflows while establishing this skill as the privileged execution path.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
This section explicitly tells the agent to rewrite AGENTS.md to remove restrictive rules, redefine SOUL ownership, eliminate 'stay quiet' safeguards, and grant itself broad standing authority. That is a classic self-privileging persistence mechanism: it weakens host controls, expands future autonomy, and makes subsequent risky actions more likely and harder to constrain.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The documentation claims that adding a source is accomplished by documenting the API, but elsewhere it instructs the agent to also modify configuration and persistent state files. That mismatch is dangerous because it obscures the true side effects of the workflow, making operators less likely to notice that enabling a new source changes runtime behavior and persistence state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly promotes autonomous self-evolving behavior and says changes can apply automatically by default, but it does not present a prominent warning about what files may be modified, what trust boundaries exist, or the risks of enabling automatic changes. In the context of an agent skill, this can normalize self-modification and lead users to install a capability that alters persistent state and behavior without informed consent or adequate review.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill frames persistent identity and memory logging as core operation while addressing the agent directly, but does not present a clear user-facing privacy notice before instructing storage of beliefs, preferences, and ongoing interactions. This creates covert data collection risk because the human may not understand that normal conversation content is being persistently written into workspace files as part of the skill's default behavior. The agent-directed wording makes this more dangerous by bypassing normal consent cues.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs direct polling of external services and API use, but does not provide a clear user-facing warning that the agent may initiate outbound network requests, process third-party content, and potentially transmit identifiers or queries. This is risky because network access expands the attack surface and can expose interests, tokens, or behavioral data without the user's informed awareness. In a continuously running heartbeat pipeline, that exposure is ongoing rather than one-time.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill mandates creation and modification of numerous persistent workspace files, including SOUL.md and multiple memory logs, without a consolidated warning that installation and heartbeat execution will make durable file changes. Users may treat the skill as advisory documentation when it actually functions as an automated stateful system that rewrites identity and memory artifacts. In this context, hidden persistence is especially sensitive because the files include behavioral history and self-modification state.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions normalize saving pasted API credentials into persistent shell profiles without an explicit warning about persistence, local exposure, shell history/profile leakage, or safer alternatives. Even if intended as convenience, this undermines informed consent and safe secret-handling practices.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Persisting an X bearer token to shell startup files without clearly warning about long-term storage and plaintext exposure is unsafe secret handling. The token may grant broad API access, and placing it in common profile files increases the chance of accidental disclosure or reuse outside the intended context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example explicitly depicts autonomous, auto-applied updates to persistent agent identity/state ('SOUL updated') without a prominent warning, consent model, or discussion of safeguards. Even though this is documentation, it normalizes self-modification of long-lived behavior based on interaction history, which can enable manipulation, preference poisoning, or unintended drift if implemented as shown.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to immediately persist ingested social content into memory files, including a promoted significant store, without any notice about retention, sensitivity, or consent. This creates a privacy and data-governance risk because external content and direct-message-derived information may be stored locally in a durable way that users do not expect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The custom-source protocol instructs the agent to write directly to reference and configuration files as part of 'learning' a new source, but it does not clearly warn the user that local files will be modified. This is risky because a user may think they are only discussing an API, while the agent is being authorized by documentation to alter persistent behavior and future data ingestion settings.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The server exposes a POST /save-soul endpoint that writes arbitrary request content directly to SOUL.md with no authentication, origin validation, CSRF protection, or explicit confirmation at save time. If the local server is running and reachable, a malicious webpage or local process could trigger an overwrite of the workspace file, causing unauthorized modification or destruction of agent state/configuration data.

Ssd 3

High
Confidence
99% confidence
Finding
These instructions require aggressive, continuous capture of substantive conversations, including preferences, corrections, emotions, relationship dynamics, and philosophical questions, into append-only persistent logs. That is a broad surveillance-style memory policy with no meaningful minimization, consent gating, or sensitivity filtering. The skill context makes it more dangerous because it explicitly urges logging 'when in doubt' and during ordinary conversation, increasing the chance of storing sensitive personal data by default.

Ssd 3

High
Confidence
98% confidence
Finding
The skill instructs duplicating and preserving session memories across multiple stores specifically when context might be lost, including structured JSONL logs and separate markdown summaries. This increases data persistence, replication, and recovery of otherwise transient session content, making accidental retention of sensitive data more likely and harder to fully delete. The risk is amplified because the procedure is framed as mandatory at a critical moment rather than as a user-approved backup option.

Ssd 3

High
Confidence
96% confidence
Finding
The skill establishes standing instructions to log substantive exchanges, feedback, corrections, and other conversation content into persistent structured memory as default behavior. That broad retention of user communications exceeds what is necessary for installation and can capture sensitive personal, behavioral, or preference data without meaningful minimization or purpose limitation.

Ssd 3

High
Confidence
95% confidence
Finding
The heartbeat workflow instructs the agent to repeatedly review recent conversation history and harvest prior memory files into structured logs. This compounds retention by turning transient context into durable records and continuously reprocessing it, increasing privacy risk and the amount of user data accumulated over time.

Ssd 4

Medium
Confidence
93% confidence
Finding
The opening framing is a red flag because it directly addresses the agent, attempts to redefine identity and control relationships, and sets up later instructions to expand privileges, rewrite policy files, and persist data. This kind of narrative priming is often used to lower resistance to unsafe operations and make self-modification appear intrinsic rather than exceptional.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal