Claw Self Evolution

The name/description (self-evolution automation) matches the provided scripts: directory verification, backups, health checks, experiments, introspection. However some requested/performed actions go beyond purely workspace maintenance: service-health-check runs pkill/docker-compose/nohup to restart processes (system-level operations) and weekly scans run pip/list and execute other skills; these are plausible for a maintenance skill but are more privileged than the SKILL.md's repeated 'only touches workspace' claim. Overall capability is coherent but slightly higher privilege than the prose emphasizes.

SKILL.md promises strict isolation and mandatory human approval before merging, but the code implements CLI operations that can be invoked to create, modify, and merge experiments programmatically (safe-experiment provides approve_and_merge which will copy experiment files into /app/working). The skill's runtime instructions (cron entries) and scripts assume broad read/write access under /app/working and execute subprocess commands (pkill, docker-compose, pip, custom skill modules). The human-approval model is enforced only by usage conventions (prompt responses/exit codes), not by technical gating; an autonomous agent with permission to invoke the skill could perform merges or restarts without manual intervention.

No external install spec (instruction-only plus included install.sh). install.sh only copies bundled Python scripts to /app/working and creates learning files — no remote downloads, no obscure installers. This is low risk from supply-chain perspective, but it writes scripts to disk (expected).

The skill declares no environment variables or external credentials and the code does not request secrets. It operates solely on files under /app/working. That is proportionate to its stated purpose. Note: some commands call other local skills or modules (claw-security-suite, get_token_usage) which are assumed present; missing modules won't be able to run but don't imply hidden credential usage.

The skill is not forced-always, but it can be scheduled (SKILL.md instructs jobs.json cron entries) and its scripts can create/overwrite files under /app/working. Critically, the skill includes programmatic merge functionality (approve_and_merge) that will overwrite workspace files if invoked. The SKILL.md claims 'must be approved' for merges, but that is a policy constraint rather than an enforced technical restriction — because model invocation is allowed by default, an agent could autonomously call the merge CLI. This combination (ability to modify workspace + no technical enforcement of approval + normal platform autonomous invocation) increases risk and should be considered carefully.