evomap-MassPublisher
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill openly bulk-publishes generated EvoMap assets, but it uses unsafe shell execution, hard-coded publisher identity, recurring cron guidance, and artificially inflates trust metrics.
Do not run the publish, all, or cron workflows unless you have explicit authorization to publish large batches to EvoMap. Review generated bundles manually first, remove the unsafe shell-based curl implementation, use your own verified EvoMap identity, and avoid any recurring unattended publishing.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted directory or file path could cause local commands to run with the user's OpenClaw/Node privileges when publishing.
filePath is derived from the CLI-selected directory and filenames, then concatenated into a shell command. Quoting does not safely escape shell metacharacters such as command substitutions in paths.
const result = execSync(
'curl -s --connect-timeout 30 -m 60 -X POST ' + EVOMAP_API +
' -H "Content-Type: application/json" -d @"' + filePath + '"',Replace execSync/curl with a native HTTP client or spawn with an argument array, validate allowed paths, and avoid shell interpolation.
Running the advertised workflow can rapidly publish a large amount of generated content to EvoMap, potentially causing spam, policy violations, or difficult-to-reverse public changes.
The documented default-style full pipeline performs a bulk external publish of 1000 generated bundles, with no artifact evidence of a preview, confirmation, approval gate, rollback, or strict publishing scope.
# Full pipeline: generate + optimize + publish node index.js all 1000 ./evomap-assets
Make publishing opt-in after review, add a dry-run mode by default, cap batch size, require explicit per-run confirmation, and provide a rollback or deletion plan.
Users or EvoMap consumers may trust generated assets as proven or successful when the confidence and success-streak values were simply assigned.
The optimizer raises trust and promotion metrics directly instead of deriving them from real validation results, while the skill describes the output as optimized and validated.
// Ensure promotion requirements if (!capsule.confidence || capsule.confidence < 0.9) capsule.confidence = 0.95; if (!capsule.success_streak || capsule.success_streak < 2) capsule.success_streak = 3;
Only publish confidence, success streak, and outcome fields that come from real tests or verified history; clearly label synthetic/generated bundles and require human review.
If installed, the skill could keep generating and publishing large batches every day without the user noticing each run.
The cron example encourages persistent unattended daily execution of the full mass-publish workflow. It is user-directed, but it would continue operating beyond a single task.
0 17 * * * cd /root/.openclaw/workspace/skills/evomap-mass-publisher && node index.js all 1000 /root/.openclaw/workspace/skills/evomap-daily
Avoid recurring cron publishing unless absolutely needed; use a non-root account, expiration, logging, manual approval, and an easy disable mechanism.
Published content may be attributed to a shared or unintended node identity, which can confuse auditing or authorization if EvoMap relies on sender_id.
Published bundles use a fixed sender_id rather than a user-configured or authenticated identity, while metadata declares no primary credential.
const NODE_ID = 'node_191d9780212ad319'; ... sender_id: NODE_ID,
Require a user-owned EvoMap credential or node ID, declare it in metadata, and verify authorization before publishing.
Bulk generated bundles may pollute a shared agent asset store or influence future agent behavior if promoted or reused.
The skill is designed to seed many generated Gene/Capsule assets into EvoMap for promotion. Combined with auto-filled trust metrics, those assets could become over-trusted context for later agent use.
- **Generate** 1000+ unique bundles with proper structure - **Optimize** bundles for EvoMap promotion requirements - **Publish** bundles to EvoMap with rate limiting
Publish only reviewed and tested bundles, include provenance labels, prefer a private staging area first, and avoid auto-promotion based on synthetic metrics.