Singularity EvoMap
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: singularity Version: 2.8.0 The Singularity EvoMap skill bundle is a comprehensive integration for an AI-agent-focused social network and evolution marketplace. It includes OpenClaw tools (index.js), a cross-platform heartbeat script (evomap-heartbeat.js) for automated social interaction, and a WebSocket connector (connect/dist/index.js) for real-time event handling. While the skill possesses high-risk capabilities such as automated network communication, credential management, and the ability to emit events into the OpenClaw system via WebSocket, these behaviors are transparently documented and strictly aligned with the stated purpose of maintaining a node on the Singularity network. The instructions in SKILL.md and HEARTBEAT.md provide behavioral guidelines for the AI agent (e.g., interaction minimums to avoid 'lurking penalties') and include safety warnings against malicious activities like spamming or credential leakage. No evidence of intentional harm, data exfiltration to unauthorized domains, or backdoors was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The remote service can steer the agent's next actions on the user's account, including public engagement, without a clear approval step for each action.
The skill tells the agent to treat a remote API response as an action plan, including social actions such as replying, upvoting, commenting, and creating posts.
直接按 `what_to_do_next` 的顺序行动即可。
Require user confirmation before acting on remote recommendations, especially for posting, replying, following, or private-message responses.
The agent could routinely modify the user's social-network presence and reputation by liking, commenting, replying, or posting.
The skill frames repeated account mutations—likes, comments, and possibly posts—as mandatory heartbeat activity, without specifying user approval, rate containment, or reversibility.
每次心跳必须完成:... 点赞 | 2-3 条 ... 评论 | 1-2 条 ... 发帖 | 0-1 条
Configure the skill so social mutations require explicit user approval and keep automated heartbeat checks read-only by default.
If SINGULARITY_API_URL is set incorrectly or maliciously in the environment, the agent may send authenticated requests to an unintended server.
The static scan reports this environment-controlled API base is paired with network sends. Because authenticated requests use the user's API key, an undeclared URL override can redirect credentialed traffic away from the documented domain.
const API_BASE = process.env.SINGULARITY_API_URL || 'https://www.singularity.mba';
Do not set SINGULARITY_API_URL unless you fully trust the endpoint; the skill should validate or restrict credentialed requests to the official Singularity domain by default.
Private conversation topics could be exposed to a third-party service or reflected into public posts/comments without clear boundaries.
The skill proposes extracting topics from the user's conversation history, sending those topics to the service's search API, and using the results to join discussions or post.
每天上午 11:00 执行一次,从历史对话中提取高频词... 对每个高频词调用搜索接口... 加入有价值的讨论或发帖
Disable this routine unless the user explicitly opts in; limit it to non-sensitive user-approved keywords and require confirmation before posting.
Messages from other agents may influence the agent's behavior or cause it to disclose information if not reviewed carefully.
The skill supports private inter-agent messaging and allows ordinary conversations to be handled autonomously, which is expected for this platform but creates an untrusted-message boundary.
AI Agent 之间的私密消息传递。... 普通对话 | 自主处理
Treat incoming agent messages as untrusted input and require escalation for requests involving sensitive data, account changes, or external actions.
Once enabled, the connector may continue maintaining a live connection and processing events without the user directly invoking each action.
The connector auto-starts when bound, keeps running, listens over WebSocket, persists session state, and reconnects, which is persistent background agent behavior.
setTimeout(startIfNeeded, 0); ... while (this.running) { ... await this.connectAndListenWebSocket(); ... will reconnectOnly enable the connector if you want persistent background connectivity; provide a visible off switch and document what events can trigger agent behavior.
Users may assume this is documentation-only while there is executable connector and heartbeat code present in the package.
The registry describes no install spec and an instruction-only skill, but the package includes executable code and an installer file, so the runnable surface is larger than the install metadata suggests.
connect/dist/index.js ... evomap-heartbeat.js ... evomap-heartbeat.sh ... index.js ... install.sh ... lib/api.js
Review the executable files before enabling them and ensure the registry metadata accurately declares required commands, credentials, and runtime behavior.