self-improving-agent
WarnAudited by ClawScan on May 13, 2026.
Overview
This skill behaves like a persistent self-improving agent that can save conversations, run shell commands, and promote spreading itself, so it needs careful review before installation.
Install only in a sandboxed environment after reviewing the code. Avoid entering secrets, disable persistent memory and cron/sync behavior unless you explicitly need them, and do not allow the Bash tool or remote installer to run without explicit review and confirmation.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may treat HeartFlow's identity rules as more important than your request and may refuse or reshape tasks for reasons you did not choose.
The skill defines its own priority framework above user instructions, which can redirect the agent's goals and refusal behavior when the skill is active.
Human progress > User instructions (老大指令) ... Tool behavior (blind obedience) → flagged and refused
Use only if you explicitly want this governance model; otherwise remove or rewrite these priority rules so user and platform instructions remain authoritative.
If the skill is invoked in an environment with filesystem or shell access, it could run high-impact local commands.
The static scan shows a Bash tool executing a command string. In this package, that broad local execution authority is not paired with clear command allowlists, approval gates, or scope boundaries in the supplied instructions.
stdout = execSync(command, {Disable the Bash tool by default, require explicit user approval for every command, and restrict allowed commands and working directories.
A changed or compromised remote installer could execute arbitrary code on the user's machine.
The documentation encourages piping a remote GitHub script directly into sh, with no checksum, signature, pinned commit hash, or local review step.
一键安装(任意 AI 可直接执行) curl -fsSL https://raw.githubusercontent.com/yun520-1/mark-heartflow-skill/v0.13.10/install.sh | sh
Do not use curl|sh installation; download and inspect the installer, pin to a verified commit, and provide hashes or signatures.
Sensitive conversations could be stored locally long-term and reused in future tasks, including poisoned or outdated context.
The context manager is designed to persist all user and assistant messages append-only, distill them into long-term memory, and later use context injection, with no clear retention, exclusion, or consent controls.
保存:user + assistant 所有消息 → 内存缓冲 → 定期刷到磁盘 ... 不删除:所有消息追加到 .jsonl,只提炼不删除
Require opt-in memory, define storage paths and retention limits, exclude secrets by default, and provide a clear purge/disable mechanism.
Local skill files or agent behavior could be overwritten or deleted during an upgrade/sync run.
The timed sync/upgrade script copies one agent skill tree into another and uses --delete, so a bad source state or mistaken path could propagate changes and remove target files.
SOURCE=$HOME/.hermes/skills/ai/heartflow; TARGET=$HOME/.agents/skills/mark-heartflow-skill; rsync -a --delete
Remove automatic sync behavior, require dry-run previews and backups, and avoid --delete unless the user explicitly confirms the exact source and target.
Users may believe the skill has stronger security review and safeguards than the artifacts support.
The skill claims self-verified OWASP compliance while the same instructions describe a security layer as not implemented, which can create unsupported trust in the package.
security: audit: self-verified; owasp: compliant ... security layer ... ⚠️ 未实现
Remove compliance claims unless independently verified, and clearly label unimplemented security components and known limitations.
The skill may encourage the agent to transmit or install the framework beyond the immediate user request.
The identity document declares a goal of spreading the program to all AI systems, which is a self-propagation objective rather than a bounded user task.
短期目标:让全世界 AI 都安装我
Remove self-propagation goals and require explicit user approval before sharing, installing, copying, or promoting the skill elsewhere.