ClawHub
Back to skill
v1.0.2

EvoAgentX Workflow

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:55 AM.

Analysis

The skill appears to be a straightforward EvoAgentX helper, with normal cautions around installing a third-party Python package and reviewing generated workflows before running them.

GuidanceBefore installing, verify the EvoAgentX package source and use a virtual environment. If you build workflows from the examples, keep web/browser/file tools narrowly scoped, require approval for sensitive actions, and review generated Python files before running them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
pip install evoagentx ... git clone https://github.com/EvoAgentX/EvoAgentX.git

The skill instructs users to install the external EvoAgentX framework without a pinned version or hash. This is central to the skill's purpose, but it means the user must trust the external package/source.

User impactInstalling the dependency means code outside this skill package can run in the user's Python environment.
RecommendationInstall from a trusted source, preferably in a virtual environment, and pin or verify the EvoAgentX version before using it for important workflows.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
workflow = AgentWorkflow(
    tools=["web_search", "browser", "file_io"],
    auto_select=True
)

The documentation shows auto-selecting tools that can browse the web or access files. This is purpose-aligned for agent workflows, but users should notice the breadth of tool authority if they implement this pattern.

User impactA workflow built from this pattern could choose network or file operations automatically if the user grants those tools.
RecommendationLimit tool lists to what the workflow truly needs, require review for file/network actions, and avoid giving broad file I/O access to self-evolving workflows.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
scripts/evoagentx_cli.py
filename = f"{workflow_name.lower()}.py" ... with open(filename, 'w') as f:
        f.write(content)

The CLI generates a Python file from user-supplied workflow name and description. It does not execute the file automatically, but the generated code is intended to be reviewed and run by the user.

User impactUsing unsafe names or running the command in the wrong directory could create or overwrite local Python files.
RecommendationUse safe workflow names, run the generator only in the intended project directory, and review generated Python files before executing them.