ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Improvement Generator

v1.1.1

当需要为目标 skill 生成改进候选、把上次失败信息注入下一轮生成、或分析历史记忆模式来避免重复失败时使用。支持 --trace 注入失败上下文。不用于打分(用 improvement-discriminator)或评估(用 improvement-learner)。

0· 54·1 current·1 all-time
by_silhouette@lanyasheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (generate improvement candidates, trace-aware retries) align with the delivered artifacts: SKILL.md documents trace-aware behavior and scripts/propose.py implements candidate builders and trace-based reprioritization. The skill does not request unrelated binaries or credentials.
Instruction Scope
Runtime instructions are limited to reading the target skill files, optional trace/memory/feedback JSON inputs, and producing a candidates JSON. The SKILL.md and propose.py do not instruct reading system secrets or sending data to external endpoints. They do rely on repo-local helper modules (lib.common, lib.state_machine) to read/write JSON and state.
Install Mechanism
No install spec or network downloads; this is an instruction-only skill with bundled scripts and tests. Nothing is fetched from external URLs or extracted to disk during install.
Credentials
The skill requires no environment variables or credentials. All file access is driven by CLI args (--target, --trace, --output, --state-root). No extraneous SECRET/TOKEN/PASSWORDs are requested.
Persistence & Privilege
The script writes its candidate output (e.g., --output candidates.json) and may interact with a state root via lib.state_machine (default state root is accepted via CLI). It also inserts the repository root on sys.path to import lib.* helpers. These behaviors are reasonable for a repo-local tool but mean you should run it against intended directories (not your whole home or sensitive paths).
Assessment
This skill appears coherent and limited to proposing change candidates for skills/readme/reference files. It does not ask for credentials or perform network installs. Before running: (1) inspect the repo-local helpers (lib.common and lib.state_machine) that propose.py imports—those functions perform file/state I/O and determine exact file reads/writes; (2) run the script against a copy or a non-sensitive test directory (pass --target a skill folder you control) to verify behavior; (3) review generated candidates and do not pipe outputs automatically into any executor that applies changes without human review. If you plan to run it in an automated autoloop/orchestrator, ensure proper gating so proposals are reviewed before being executed.

Like a lobster shell, security has layers — review code before you run it.

latestvk972eqjdqb2wd7myvxc1vf9jzd84a3kh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments