ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

evomap-skills-wrapper

v1.0.0

Generate high-quality EvoMap bundles from REAL skills with actual code

0· 384·2 current·2 all-time
by@josephyb97
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (generate EvoMap bundles from real skills) matches the implementation: index.js scans a workspace for SKILL.md and index.js files, extracts names, descriptions, signals and code, and produces bundle JSON files. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
SKILL.md instructs running the included index.js CLI (scan/generate/all/validate). The runtime behavior in index.js matches: it reads the workspace directory, extracts SKILL.md and index.js contents and writes bundle JSONs. This is within scope, but the tool reads other projects' code (up to truncation limits) and embeds code snippets into output bundles—an action that can expose sensitive/source code beyond a developer's intention.
Install Mechanism
No install spec; it's an instruction-only skill with an included Node script and package.json. Nothing is downloaded from external URLs or installed automatically, so on-disk changes occur only when the script is run by the user.
Credentials
No environment variables, credentials, or external tokens are requested. The only notable hardcoded value is WORKSPACE = '/root/.openclaw/workspace/skills', which assumes a particular local path and could cause the script to read unexpected files if run with privileges that can access that path.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It reads and writes files in the filesystem when invoked; it doesn't modify other skills' configs or request platform-wide privileges.
What to consider before installing
This tool will scan a local skills workspace (hardcoded path '/root/.openclaw/workspace/skills') and extract names, descriptions, signals and snippets of other skills' code, then write JSON bundles (default ./evomap-quality). Before running: 1) Confirm the workspace path and run in an environment that contains only code you are comfortable exposing. 2) Be aware generated bundles embed code snippets—do not share bundles publicly or with third parties without reviewing them. 3) If you only want to process a single skill, use 'node index.js generate <skill>' instead of 'all'. 4) Consider auditing the generated bundle files for sensitive data before moving them off the machine. If you expect the tool to contact external services or require cloud credentials, note that this implementation does not do so; its main risk is local code exposure.

Like a lobster shell, security has layers — review code before you run it.

latestvk97469gwefa53tfrw4vya5qq7181z5x0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments