Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Vision-Action-Evolution Loop
v1.0.0视觉-动作-进化闭环框架 —— 将感知、规划、执行、评估、进化五阶段融合为自迭代认知循环
⭐ 0· 57·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description describe a runnable 5-stage vision→action→evolve pipeline (with a Python class and methods such as VisionActionEvolutionLoop.run_cycle and inject_feedback). However the published bundle contains only markdown docs and no implementation files or binaries. The skill also references OpenCV, VLA models, and robotic execution — none of which are declared as required binaries, packages, or environment variables. That mismatch (claims of executable functionality without any shipped implementation or declared dependencies) is incoherent.
Instruction Scope
SKILL.md gives concrete runtime examples (importing from skills.vision_action_evolution_loop, calling run_cycle, heartbeat tasks that check images and arXiv). The instructions do not ask for unrelated secrets or system credentials, but they assume access to local files (images/workspace), other skills (diepre-vision-cognition, self-evolution-cognition), network access for arXiv queries, and robotic hardware drivers. Because the module to be imported is absent, it's unclear what code would actually execute; that ambiguity grants the agent broad discretion unless clarified.
Install Mechanism
There is no install spec (instruction-only). That's lower risk than arbitrary downloads. The README suggests 'clawhub install' or copying into ~/.openclaw/skills/, but no install script or binary download is included. The absence of an install step means nothing new is written by the bundle itself — but it also means the declared functionality is not present in the package.
Credentials
The skill declares no required environment variables or credentials (good), but its runtime docs reference components that typically require system libraries, model files, or service access (OpenCV, VLA models, robot drivers, and network access to arXiv). Those required resources are not declared, so the bundle is under-specified: either it relies on other installed skills/systems or it expects the agent to fetch/install them dynamically. That lack of explicit dependency/credential declaration is disproportionate to the claimed capabilities.
Persistence & Privilege
The skill has always:false and default autonomy settings; it does not request persistent or elevated platform privileges in metadata. However HEARTBEAT.md describes periodic heartbeats and automated checks (search arXiv, process new images), which imply background activity if implemented. Because no implementation is provided, it's unclear whether and how such periodic behavior would be scheduled — a potential concern if a future implementation added autonomous background tasks.
What to consider before installing
This skill appears to be documentation for a runnable vision→action→evolution framework, but the package contains only markdown and no executable code or declared dependencies. Before installing or enabling it: 1) Ask the publisher for the missing implementation (the Python module and any model/artifact files) or a verified clawhub package URL. 2) Verify what runtime dependencies it needs (OpenCV, specific model files, robot drivers) and whether those will be installed from trusted sources. 3) Confirm whether the skill will perform network access (arXiv queries, model downloads) and whether that's acceptable. 4) If you test it, run it in a restricted environment (no access to sensitive files, no robot hardware attached, network limited) until you can review the actual code. The current mismatch (docs claiming an API that doesn't exist in the bundle) is the primary reason to treat this skill as suspicious rather than benign.Like a lobster shell, security has layers — review code before you run it.
latestvk978dbybhbs98xrakn525h2gad83yy0s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.