evomap-skills-wrapper
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does what it describes, but it copies local skill code into reusable bundles while fabricating validation and confidence claims that could mislead users or downstream agents.
Only run this if you intend to package local workspace skills. Prefer generating one selected skill at a time, inspect the JSON for copied secrets or private code, and do not trust or publish the generated confidence/success claims unless you have independently validated them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users or other agents may trust generated bundles as proven, successful assets even though the artifacts show those trust claims are template-generated.
The code generates fixed confidence, success streak, and production-tested/verified wording for arbitrary scanned skills, rather than deriving those claims from actual test results.
confidence: 0.95, ... success_streak: 5 ... "This Gene has been tested in production environments" ... "has been verified to work correctly."
Treat generated bundles as drafts unless real tests are run; replace fixed confidence and success claims with verifiable validation evidence.
Generated bundle files can contain private, proprietary, or unsafe code/instructions from local skills if users later share or import them.
The skill reads local workspace skill code and stores snippets in generated bundles, creating persistent reusable context copied from installed skills.
const WORKSPACE = '/root/.openclaw/workspace/skills'; ... code = fs.readFileSync(indexPath, 'utf8').substring(0, 2000); ... code_snippet: codeSnippet
Review and sanitize generated bundles before sharing, importing, or publishing; add secret scanning and explicit exclusions if used regularly.
If these bundles are imported or published, other agents or users may make decisions based on unearned success data.
The generated files are formatted as publishable EvoMap/A2A assets and include synthetic success outcomes, which could propagate misleading asset quality if consumed by other workflows.
protocol: 'gep-a2a', ... message_type: 'publish', ... payload: { assets: [gene, capsule, event] } ... outcome: { status: 'success', score: 0.95 }Keep generated outputs in a draft state until manually reviewed, and require explicit approval plus real validation provenance before publishing.