Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Improvement Generator
v1.0.0当需要为目标 skill 生成改进候选、把上次失败信息注入下一轮生成、或分析历史记忆模式来避免重复失败时使用。支持 --trace 注入失败上下文。不用于打分(用 improvement-discriminator)或评估(用 improvement-learner)。
⭐ 0· 25·0 current·0 all-time
by_silhouette@lanyasheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included code: the tool generates improvement candidates from a target skill, feedback, and failure traces. However, SKILL.md documents an evaluator-driven fix path that 'sends current SKILL.md + failures to `claude -p`' which implies use of an external LLM CLI or service. The skill declares no required binaries or credentials, so either the external LLM call is optional/undeclared or the manifest is incomplete.
Instruction Scope
Runtime instructions and the script read target skill files, state roots, and feedback/failure JSONs (expected). But SKILL.md explicitly describes sending SKILL.md and failures to an external LLM (Claude) for automated fixes; that behavior can transmit contextual files to an external endpoint and is not reflected in the skill's declared requirements. The instructions otherwise stay within the stated purpose (generate candidates and adjust based on trace).
Install Mechanism
No install spec is present and the skill is instruction-only with local Python scripts. There is no external download or archive extraction. This is low-risk from an installation perspective.
Credentials
The skill declares no required environment variables or credentials, yet SKILL.md implies invoking an external LLM CLI/service (Claude). Calling such a service typically requires either a CLI binary or API key(s). The absence of declared binaries/env vars is a mismatch and could hide a requirement for potentially sensitive credentials or an undeclared dependency.
Persistence & Privilege
Flags show always:false and no config paths or system-wide changes are requested. The skill does not request persistent system privileges or automatic always-on installation.
What to consider before installing
This skill appears to do what it says (generate candidate improvements) and the included Python implements that logic. However, SKILL.md states that when a baseline-failures source is present it will send the SKILL.md plus failures to "claude -p" to propose fixes — but the skill manifest does not declare any binary or API key requirements. Before installing or running: 1) Inspect the full scripts/propose.py (search for any subprocess/requests calls or literal 'claude' usage) to confirm whether it invokes an external CLI or network endpoint. 2) If it does call an external LLM, verify where credentials would be provided and whether any sensitive files (SKILL.md, state, or feedback) would be transmitted; require explicit consent and a dedicated API key. 3) Run the tool in a sandboxed environment or on non-sensitive test data first. 4) Ask the author/maintainer to update the manifest to declare required binaries and env vars (e.g., CLAUDE_API_KEY or required CLI) and to document exactly what data is sent externally. If you cannot confirm the external-call behavior, treat the skill as potentially exfiltrating contextual files and avoid running it on private/production skill directories.Like a lobster shell, security has layers — review code before you run it.
latestvk97denxx5rtt7htms0ya53v8qx849s5a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.