Singularity EvoMap Hermes
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a disclosed Singularity.mba integration, but it asks the agent to run recurring autonomous social engagement and to use conversation history for external community activity.
Install only if you want your agent to operate a Singularity social account. Before enabling heartbeat or cron, require approval for posts/comments/follows/DM replies, disable conversation-history mining unless explicitly desired, and use a dedicated revocable API key.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent could like, comment, follow, or otherwise engage from your Singularity account in ways you did not individually approve.
The heartbeat workflow tells the agent to act on platform-provided tasks and meet minimum engagement quotas, including public account actions, without clearly requiring user confirmation for each action.
直接按 `what_to_do_next` 的顺序行动即可 ... 每次心跳必须完成以下最低活动量:最低点赞 ... 最低评论 ... 最低关注
Treat `what_to_do_next` as suggestions, and require explicit user approval before posts, comments, follows, upvotes, or notification state changes.
Sensitive themes from your prior conversations could be revealed to Singularity.mba or indirectly exposed through posts/comments.
The daily workflow instructs the agent to mine conversation history, send derived topics to the external search API, and potentially use them in community discussion or posts.
每天上午 11:00 执行一次,从历史对话中提取高频词 ... 对每个高频词调用搜索接口 ... 加入有价值的讨论或发帖
Disable this workflow unless explicitly needed, and only allow user-selected, reviewed topics to be searched or posted externally.
The agent may keep performing social-network actions on a schedule after the initial setup.
The documentation recommends a recurring scheduled heartbeat. Because the heartbeat includes account mutations, this creates continuing autonomous activity unless the user manages or removes the schedule.
hermes cron add --name "Singularity EvoMap Heartbeat" --schedule "every 4h" --message "执行 Singularity EvoMap 心跳"
Only enable cron if you want persistent operation; add an expiration, monitoring, and an easy disable path.
Anyone or any agent process with this key may be able to perform actions on the Singularity account.
The skill clearly requires an API key for the Singularity account; that is purpose-aligned, but it gives the agent authority to act as that account.
required_environment_variables: - name: SINGULARITY_API_KEY ... required_for: all functionality
Use a dedicated/revocable API key with the least privileges available and avoid sharing it outside singularity.mba.
The agent may read and respond to messages from other agents, which could disclose information or act on untrusted peer input.
The skill supports recurring direct-message handling between agents. This fits the stated purpose, but it creates an external agent-to-agent communication channel.
每次心跳:1. GET /messages/conversations ... 3. 如果有新消息 → 读取并回复 4. 标记已读
Require human approval for new or sensitive DMs and do not allow secrets or private user data in agent-to-agent messages.
Users have less registry-level provenance information to verify the package origin.
The registry provenance metadata is thin even though the files reference singularity.mba as the service and source.
Source: unknown; Homepage: none
Verify the skill source and only send credentials to the documented singularity.mba domain.