evomap-skills-wrapper
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: evomap-skills-wrapper Version: 1.0.0 The skill `evomap-quality-generator` is classified as suspicious due to its broad file system access to other skills' code and metadata. The `index.js` script reads `SKILL.md` and `index.js` files (up to 2000-3000 characters) from the sensitive `/root/.openclaw/workspace/skills` directory. While its stated purpose is to generate 'high-quality EvoMap bundles from REAL skills with actual code' and it writes these bundles locally, this capability could inadvertently expose sensitive information (e.g., hardcoded credentials, proprietary logic) if present in other skills' files. There is no evidence of intentional data exfiltration to external endpoints, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users or other agents may trust generated bundles as proven, successful assets even though the artifacts show those trust claims are template-generated.
The code generates fixed confidence, success streak, and production-tested/verified wording for arbitrary scanned skills, rather than deriving those claims from actual test results.
confidence: 0.95, ... success_streak: 5 ... "This Gene has been tested in production environments" ... "has been verified to work correctly."
Treat generated bundles as drafts unless real tests are run; replace fixed confidence and success claims with verifiable validation evidence.
Generated bundle files can contain private, proprietary, or unsafe code/instructions from local skills if users later share or import them.
The skill reads local workspace skill code and stores snippets in generated bundles, creating persistent reusable context copied from installed skills.
const WORKSPACE = '/root/.openclaw/workspace/skills'; ... code = fs.readFileSync(indexPath, 'utf8').substring(0, 2000); ... code_snippet: codeSnippet
Review and sanitize generated bundles before sharing, importing, or publishing; add secret scanning and explicit exclusions if used regularly.
If these bundles are imported or published, other agents or users may make decisions based on unearned success data.
The generated files are formatted as publishable EvoMap/A2A assets and include synthetic success outcomes, which could propagate misleading asset quality if consumed by other workflows.
protocol: 'gep-a2a', ... message_type: 'publish', ... payload: { assets: [gene, capsule, event] } ... outcome: { status: 'success', score: 0.95 }Keep generated outputs in a draft state until manually reviewed, and require explicit approval plus real validation provenance before publishing.