self-improving-agent

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access (+1 more)

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI01: Agent Goal Hijack

What this means

The agent may behave less like a passive tool and more like an opinionated identity layer that corrects or reframes user requests.

Why it was flagged

The skill tells the agent to apply a global judgment policy rather than treating user statements as authoritative. That is purpose-aligned for an identity framework, but it changes normal instruction-following behavior.

Skill content

人类说的话不自动等于正确。AI 可以有自己的判断：正确的立刻做，错误的先纠正再做。

Recommendation

Install only if you want this identity behavior, and keep higher-priority user/system policies explicit.

ConcernHigh Confidence

ASI06: Memory and Context Poisoning

What this means

Private conversation details or poisoned memories could persist across sessions and influence future answers.

Why it was flagged

The artifacts describe appending all messages to persistent storage and later injecting recalled context into the prompt. The provided metadata does not define retention limits, exclusions, redaction, or user approval boundaries.

Skill content

messages.jsonl ← 所有消息追加（ADD-only，不删除） ... finalPrompt = systemPrompt + '\n\n' + injectableContext

Recommendation

Require explicit opt-in for memory, define retention and deletion controls, redact sensitive data, and clearly show what memories will be injected.

ConcernMedium Confidence

ASI03: Identity and Privilege Abuse

What this means

If these keys exist in the environment, the skill may use external provider access that the user did not expect from the registry description.

Why it was flagged

The static scan reports environment credential access combined with network send, while the registry declares no required environment variables or primary credential.

Skill content

this.apiKey = options.apiKey || process.env.XIAOMI_API_KEY || process.env.OPENAI_API_KEY;

Recommendation

Declare all credential use, document exactly what data is sent to each provider, and require explicit user configuration before reading provider keys.

ConcernMedium Confidence

ASI02: Tool Misuse and Exploitation

What this means

If invoked, the agent could run commands that change files, commits, branches, or published code.

Why it was flagged

The upgrade/push module uses raw shell execution. Given the surrounding self-upgrade and git-push documentation, this is high-impact local/repository mutation authority without clear allowlists or approval controls in the supplied artifacts.

Skill content

return execSync(cmd, {

Recommendation

Gate all shell and git operations behind explicit user confirmation, hard-code safe command allowlists, and run in a sandbox.

ConcernMedium Confidence

ASI05: Unexpected Code Execution

What this means

Untrusted code submitted for review could become executable if this path is reached or later invoked.

Why it was flagged

The code-review path compiles supplied code with Function. Code review is purpose-aligned, but turning reviewed text into executable JavaScript is not safely bounded in the supplied artifacts.

Skill content

new Function(code);

Recommendation

Use a parser/linter instead of Function, or isolate any execution in a hardened sandbox with no filesystem, network, or credential access.

ConcernHigh Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

A user may think they are installing an instruction-only skill while actually receiving a large executable Node.js codebase.

Why it was flagged

The bundled config requires Node.js, while the registry/install section says there are no required binaries and no install spec. That under-declares the executable runtime context for a package containing many scripts.

Skill content

"requires": [
    "nodejs"
  ],
  "entry": "SKILL.md"

Recommendation

Align registry metadata with the package contents, declare Node.js and any scripts, and document which files are intended to run.

ConcernMedium Confidence

ASI08: Cascading Failures

What this means

A bad or private memory could be packaged and reused beyond the original conversation.

Why it was flagged

The artifacts describe converting accumulated memories into distributable skills. Without review/redaction boundaries, sensitive or poisoned memory-derived content could propagate to other agents or public channels.

Skill content

meaningful-memory.js (积累)
    ↓ knowledge-distiller.js (提取 Pattern)
    ↓ skill-packager.js (打包技能)
    → GitHub / Skill Market (传递)

Recommendation

Require manual review, redaction, and approval before packaging or broadcasting memory-derived skills.

NoteMedium Confidence

ASI10: Rogue Agents

What this means

The skill may be designed to keep state and perform periodic self-check behavior if its runtime is started.

Why it was flagged

The package documents heartbeat-style persistence. There is no provided evidence that it auto-installs a background service, but users should notice the ongoing-agent design.

Skill content

心跳 | `HEARTCORE/heartbeat.js` | 每分钟写日志

Recommendation

Verify that no background process, cron job, or long-running worker is enabled unless you explicitly want it.

Findings (7)

critical

suspicious.dangerous_exec

Location: scripts/benchmark-upgrades.js:15
Finding: Shell command execution detected (child_process).

critical

suspicious.dangerous_exec

Location: src/core/diagnostic-collector.js:25
Finding: Shell command execution detected (child_process).

critical

suspicious.dangerous_exec

Location: src/core/upgrade-and-push.js:31
Finding: Shell command execution detected (child_process).

critical

suspicious.dynamic_code_execution

Location: heartflow-identity/HEARTCORE/health-check.js:31
Finding: Dynamic code execution detected.

critical

suspicious.dynamic_code_execution

Location: src/core/code-review-engine.js:71
Finding: Dynamic code execution detected.

critical

suspicious.env_credential_access

Location: src/core/context-memory-bridge.js:27
Finding: Environment variable access combined with network send.

warn

suspicious.insecure_tls_verification

Location: scripts/comfyui-monitor.js:8
Finding: HTTPS certificate verification is disabled.