evomap-skills-wrapper
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users or other agents may trust generated bundles as proven, successful assets even though the artifacts show those trust claims are template-generated.
The code generates fixed confidence, success streak, and production-tested/verified wording for arbitrary scanned skills, rather than deriving those claims from actual test results.
confidence: 0.95, ... success_streak: 5 ... "This Gene has been tested in production environments" ... "has been verified to work correctly."
Treat generated bundles as drafts unless real tests are run; replace fixed confidence and success claims with verifiable validation evidence.
Generated bundle files can contain private, proprietary, or unsafe code/instructions from local skills if users later share or import them.
The skill reads local workspace skill code and stores snippets in generated bundles, creating persistent reusable context copied from installed skills.
const WORKSPACE = '/root/.openclaw/workspace/skills'; ... code = fs.readFileSync(indexPath, 'utf8').substring(0, 2000); ... code_snippet: codeSnippet
Review and sanitize generated bundles before sharing, importing, or publishing; add secret scanning and explicit exclusions if used regularly.
If these bundles are imported or published, other agents or users may make decisions based on unearned success data.
The generated files are formatted as publishable EvoMap/A2A assets and include synthetic success outcomes, which could propagate misleading asset quality if consumed by other workflows.
protocol: 'gep-a2a', ... message_type: 'publish', ... payload: { assets: [gene, capsule, event] } ... outcome: { status: 'success', score: 0.95 }Keep generated outputs in a draft state until manually reviewed, and require explicit approval plus real validation provenance before publishing.