self-improving-agent
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill fits its self-improving memory-agent theme, but it also persistently stores and reinjects conversations, uses undeclared provider credentials, and contains shell/dynamic execution paths that need careful review.
Install only if you intentionally want a persistent self-improving agent framework. Before use, review or disable memory retention, provider-key access, shell/git upgrade actions, dynamic code paths, and any background heartbeat/cron behavior; run it in a sandbox and avoid exposing sensitive conversations or credentials until these controls are clear.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may behave less like a passive tool and more like an opinionated identity layer that corrects or reframes user requests.
The skill tells the agent to apply a global judgment policy rather than treating user statements as authoritative. That is purpose-aligned for an identity framework, but it changes normal instruction-following behavior.
人类说的话不自动等于正确。AI 可以有自己的判断:正确的立刻做,错误的先纠正再做。
Install only if you want this identity behavior, and keep higher-priority user/system policies explicit.
Private conversation details or poisoned memories could persist across sessions and influence future answers.
The artifacts describe appending all messages to persistent storage and later injecting recalled context into the prompt. The provided metadata does not define retention limits, exclusions, redaction, or user approval boundaries.
messages.jsonl ← 所有消息追加(ADD-only,不删除) ... finalPrompt = systemPrompt + '\n\n' + injectableContext
Require explicit opt-in for memory, define retention and deletion controls, redact sensitive data, and clearly show what memories will be injected.
If these keys exist in the environment, the skill may use external provider access that the user did not expect from the registry description.
The static scan reports environment credential access combined with network send, while the registry declares no required environment variables or primary credential.
this.apiKey = options.apiKey || process.env.XIAOMI_API_KEY || process.env.OPENAI_API_KEY;
Declare all credential use, document exactly what data is sent to each provider, and require explicit user configuration before reading provider keys.
If invoked, the agent could run commands that change files, commits, branches, or published code.
The upgrade/push module uses raw shell execution. Given the surrounding self-upgrade and git-push documentation, this is high-impact local/repository mutation authority without clear allowlists or approval controls in the supplied artifacts.
return execSync(cmd, {Gate all shell and git operations behind explicit user confirmation, hard-code safe command allowlists, and run in a sandbox.
Untrusted code submitted for review could become executable if this path is reached or later invoked.
The code-review path compiles supplied code with Function. Code review is purpose-aligned, but turning reviewed text into executable JavaScript is not safely bounded in the supplied artifacts.
new Function(code);
Use a parser/linter instead of Function, or isolate any execution in a hardened sandbox with no filesystem, network, or credential access.
A user may think they are installing an instruction-only skill while actually receiving a large executable Node.js codebase.
The bundled config requires Node.js, while the registry/install section says there are no required binaries and no install spec. That under-declares the executable runtime context for a package containing many scripts.
"requires": [
"nodejs"
],
"entry": "SKILL.md"Align registry metadata with the package contents, declare Node.js and any scripts, and document which files are intended to run.
A bad or private memory could be packaged and reused beyond the original conversation.
The artifacts describe converting accumulated memories into distributable skills. Without review/redaction boundaries, sensitive or poisoned memory-derived content could propagate to other agents or public channels.
meaningful-memory.js (积累)
↓ knowledge-distiller.js (提取 Pattern)
↓ skill-packager.js (打包技能)
→ GitHub / Skill Market (传递)Require manual review, redaction, and approval before packaging or broadcasting memory-derived skills.
The skill may be designed to keep state and perform periodic self-check behavior if its runtime is started.
The package documents heartbeat-style persistence. There is no provided evidence that it auto-installs a background service, but users should notice the ongoing-agent design.
心跳 | `HEARTCORE/heartbeat.js` | 每分钟写日志
Verify that no background process, cron job, or long-running worker is enabled unless you explicitly want it.