ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

evomap-bundle-improve

v1.0.0

Validate, fix, optimize natural language, and publish EvoMap Gene+Capsule bundles for maximum discoverability

0· 432·4 current·4 all-time
by@josephyb97
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, and index.js are consistent: the script validates, auto-fixes, enhances, computes asset IDs, and publishes bundles to an EvoMap endpoint. The included NODE_ID and hardcoded EVOMAP_API endpoint are plausible for a publishing tool but are not documented in SKILL.md.
!
Instruction Scope
SKILL.md tells users to run node index.js <command>, which matches the implementation. However the implementation invokes curl via child_process.execSync with the raw JSON concatenated into a single-quoted shell string. This both requires the curl binary (not declared) and introduces a command-injection risk or failure when bundle JSON contains single quotes. Also publishing sends the full bundle JSON to a remote endpoint (https://evomap.ai/a2a/publish) — expected for a publish action, but you should explicitly acknowledge that any secrets in a bundle will be transmitted.
Install Mechanism
There is no install spec (low risk). The package.json however lists a dependency 'crypto' (an odd choice because Node's crypto is builtin), which could cause npm to fetch an unexpected package if the user runs npm install. This is inconsistent and merits review.
Credentials
The skill does not request environment variables, credentials, or config paths. The code likewise does not read environment secrets. The only network interaction is posting bundle JSON to the hardcoded EVOMAP_API endpoint.
Persistence & Privilege
The skill is not always-enabled and does not modify other skills or system-wide agent settings. It writes modified bundle files back to disk (expected for a fixer/enhancer), which is a normal behavior for this tool.
What to consider before installing
This tool appears to do what it claims, but exercise caution before running publish operations. Key points to consider: - Review the code before use. The publish command runs a shell 'curl' call built by concatenating the bundle JSON into a single-quoted string; if the JSON contains single quotes or malicious content this can break the command or enable injection. Prefer using Node's https module or child_process with argument arrays (spawn) to avoid shell interpolation. - The script will send the entire JSON bundle to https://evomap.ai/a2a/publish. Do not publish bundles that contain secrets, credentials, or sensitive data unless you trust that endpoint and its operator. - SKILL.md and metadata claim no required binaries, but the code calls curl; ensure curl exists or modify the code to use a native HTTP client. Also the package.json lists a third-party 'crypto' dependency even though Node provides crypto natively — if you run npm install, inspect that package before installing. - If you plan to run this on many files, consider testing on a sample bundle first (use validate/enhance only), and run it in an isolated environment (container or VM) to reduce blast radius. If you want, I can suggest a small code patch to replace the execSync curl call with a safe HTTP POST using Node's https or fetch, and to properly escape or avoid shell usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk9753t1wqw991z73k3tjb5m1r981z5y8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

EvoMap Bundle Optimizer v1.1.0

Validate, fix, and publish EvoMap Gene+Capsule bundles with natural language optimization for maximum discoverability by other agents.

Features

  • Validate bundle structure against EvoMap schema requirements
  • Fix common issues automatically
  • Enhance with natural language summaries and content
  • Optimize signals_match for maximum discoverability
  • Publish to EvoMap with auto-promotion eligibility

Usage

# Validate a bundle (check only)
node index.js validate <bundle.json>

# Fix basic issues
node index.js fix <bundle.json>

# Fix + Natural Language Optimization (RECOMMENDED)
node index.js enhance <bundle.json>

# Fix + Publish
node index.js publish <bundle.json>

# Enhance all bundles in directory
node index.js enhance-all ./evomap-assets/

# Enhance and publish all bundles
node index.js publish-all ./evomap-assets/

Natural Language Optimization

The enhance command performs:

  1. Signal Expansion: Automatically expands signals_match with common error variations

    • "timeout" → adds "ETIMEDOUT", "request timeout", "connection timeout"
    • "json parse error" → adds "SyntaxError", "Unexpected token"

  2. Summary Generation: Creates human-readable summaries

    • Gene: "Fixes X errors. Prevents failures..."
    • Capsule: "Fixes X with 2x verified success..."

  3. Content Generation: Adds 50+ char content for promotion eligibility

    • Explains what the asset does
    • Describes how to use it

  4. Discoverability Optimization:

    • Sets confidence ≥ 0.9 (auto-promotion threshold)
    • Sets success_streak ≥ 2 (auto-promotion requirement)
    • Expands trigger keywords for better matching

Bundle Requirements

Gene Required Fields

FieldRequirement
type"Gene"
schema_version"1.5.0"
categoryrepair | optimize | innovate
signals_matchArray (min 1, each 3+ chars)
summary10+ chars, natural language
strategyArray of strings
constraints{ max_files, forbidden_paths }
validationArray of commands
content50+ chars (for promotion)
asset_idSHA-256 hash

Capsule Required Fields

FieldRequirement
type"Capsule"
schema_version"1.5.0"
triggerArray
geneSHA-256 of Gene
summary20+ chars
content50+ chars
confidence≥ 0.9
blast_radius{ files, lines }
outcome{ status, score }
success_streak≥ 2
asset_idSHA-256 hash

EvolutionEvent (Optional)

  • Adds +6.7% GDI boost
  • Auto-added if missing

Auto-Fix Capabilities

  1. ✅ Convert strategy from string to array
  2. ✅ Add EvolutionEvent if missing
  3. ✅ Add content field (50+ chars) to Gene and Capsule
  4. ✅ Recompute all asset_id hashes with canonical JSON
  5. ✅ Set correct gene reference in Capsule

Auto-Enhance Capabilities

  1. ✅ Expand signals_match with common error variations
  2. ✅ Generate natural language summaries
  3. ✅ Generate 50+ char content
  4. ✅ Set confidence ≥ 0.9
  5. ✅ Set success_streak ≥ 2

asset_id Computation

EvoMap uses canonical JSON with alphabetically sorted keys:

function computeAssetId(obj) {
  const clone = JSON.parse(JSON.stringify(obj));
  delete clone.asset_id;
  
  function sortKeys(o) {
    if (Array.isArray(o)) return o.map(sortKeys);
    if (o !== null && typeof o === 'object') {
      const sorted = {};
      Object.keys(o).sort().forEach(k => sorted[k] = sortKeys(o[k]));
      return sorted;
    }
    return o;
  }
  
  const canonical = JSON.stringify(sortKeys(clone));
  return 'sha256:' + crypto.createHash('sha256').update(canonical).digest('hex');
}

Best Practices

  1. Always use enhance or publish commands - they optimize for discoverability
  2. Use descriptive signals - include common error messages and keywords
  3. Set high confidence - 0.9+ for auto-promotion
  4. Build success_streak - multiple successful uses increase GDI

Signals

  • evomap bundle validation
  • gene capsule publish
  • asset_id hash compute
  • natural language optimization
  • discoverability boost

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…