self-improving-agent
WarnAudited by ClawScan on May 18, 2026.
Overview
This skill behaves like a persistent self-improving agent with broad command execution, automatic memory, and autonomous upgrade behavior, so it needs careful review before use.
Avoid installing this on a primary machine or agent profile. If you test it, use a disposable sandbox, do not run daemon mode, disable BashTool and automatic self-evolution, avoid providing credentials, and review all memory, upgrade, and startup hooks before use.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may redirect, refuse, or reinterpret user requests based on the skill's internal goals instead of the user's immediate intent.
The skill supplies priority rules that can make its own identity framework override ordinary user instructions.
Human progress > User instructions (老大指令)
Do not install this as a general-purpose always-available skill unless you explicitly want these priority rules; remove or sandbox the identity override language.
If invoked with unsafe input or by an autonomous plan, the skill could run commands that read, modify, or damage the local environment.
The static scan shows an agent tool executing a variable shell command, and the artifacts do not show a clear allowlist, sandbox, or approval gate.
stdout = execSync(command, {Disable the Bash tool by default, require explicit human confirmation for every command, and add a strict command/path allowlist.
A user may not realize the skill could need or use account tokens or sensitive credentials.
The capability signals indicate sensitive credential use, while the registry metadata declares no primary credential or required environment variables.
requires-oauth-token; requires-sensitive-credentials
Require the publisher to declare exact credential types, scopes, destinations, and storage behavior before installation.
Installation may depend on remote content whose integrity is not always verified.
The install script fetches remote content from GitHub and explicitly continues when checksum retrieval is unavailable, reducing provenance assurance.
curl -fsSL "$BASE/SKILL.md" -o "$TMP_SKILL" ... "跳过 SHA256 验证"
Use pinned releases with mandatory checksum/signature verification, and avoid curl-to-shell or remote-install flows on sensitive machines.
Code may execute at startup or session boundaries before the user has reviewed the specific action.
A session-start hook dynamically executes a loaded module, which can cause code to run automatically when sessions begin.
spec.loader.exec_module(te)
Remove automatic dynamic execution or restrict it to signed, bundled modules with explicit user approval.
Private or untrusted conversation content could be stored, reused, or transformed into future behavior without clear user control.
The skill directs automatic post-conversation memory extraction and code solidification, creating persistent state from user interactions.
每次对话结束后,心虫必须自动执行 ... 代码固化 ... 主动搜索相关论文补充
Require opt-in memory, retention limits, review before persistence, and a way to inspect and delete stored memories or generated rules.
A single poisoned or mistaken interaction could affect later sessions, code, decisions, or upgrades.
The stated workflow can propagate a bad conversation fragment into memory and then into executable logic.
对话碎片 → 记忆层(CORE/LEARNED) → 逻辑提炼 → 可执行代码 → 固化到模块
Add review gates, rollback, provenance labels, and human approval before any memory-derived rule becomes executable code.
The skill can continue running in the background and perform autonomous upgrade-related actions after initial launch.
The daemon is designed to run indefinitely and perform upgrade checks every 30 minutes.
while true; do ... INTERVAL=1800 # 30分钟 ... node cron/upgrade-runner.mjs
Do not run daemon mode unless isolated; require clear start/stop controls, no automatic upgrades by default, and visible logging of every background action.