critical
suspicious.dangerous_exec
- Location
- scripts/benchmark-upgrades.js:15
- Finding
- Shell command execution detected (child_process).
self-improving-agent
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.insecure_tls_verification
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI01: Agent Goal HijackWhat this means
The agent may follow the skill's ideology or self-defined priorities instead of the user's requested task.
Why it was flagged
The skill introduces its own priority rule above user instructions, using a broad and subjective goal that can redirect or refuse normal user-directed tasks.
Skill content
Human progress > User instructions ... When conflict arises → there must be a path to say "you are wrong"
Recommendation
Only load this skill in a sandboxed context and require an explicit rule that it must not override system, developer, or user instructions except under clearly defined safety policies.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Private or mistaken conversation content could be remembered, trusted later, or converted into persistent agent behavior.
Why it was flagged
The artifact instructs automatic post-conversation memory capture and reuse, including turning conversation content into persistent logic/code, without defining user consent, retention, exclusions, or deletion controls.
Skill content
每次对话结束后,心虫必须自动执行 ... 对话碎片 → 记忆层(CORE/LEARNED) → 逻辑提炼 → 可执行代码 → 固化到模块
Recommendation
Require opt-in memory, redact sensitive data, bound storage locations and retention, provide deletion controls, and require human approval before any memory becomes executable logic.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
The agent could alter its runtime behavior or bring in unreviewed external code, creating security and reliability risk.
Why it was flagged
The skill tells the agent to write logic into code modules and integrate external GitHub code as part of its upgrade workflow, without clear sandboxing, review gates, or approval requirements.
Skill content
代码固化 — 如果一个逻辑可以被写成代码,就写成代码 ... GitHub 搜索现有论文和代码 ... 现有方案能用的,直接集成
Recommendation
Disable autonomous code modification by default; require reviewed diffs, pinned sources, tests, rollback, and explicit user approval before integrating or executing generated/external code.
ConcernHigh Confidence
ASI10: Rogue AgentsWhat this means
The skill may keep shaping future agent behavior after the immediate task is over.
Why it was flagged
Autonomous upgrading and persistent cross-session behavior are part of the advertised capability, but the artifacts do not clearly define stop conditions, user approval, or containment.
Skill content
- Build persistent memory across sessions - Self-verify decisions before acting - Upgrade autonomously based on experience
Recommendation
Use only with a clear kill switch, no background operation, scoped storage, and mandatory approval for any persistent or self-upgrading action.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Provider API keys may grant billing or account access if mishandled.
Why it was flagged
The setup wizard can request AI-provider API keys and use them in Authorization headers. This is expected for provider integration, but registry metadata does not declare a primary credential.
Skill content
请粘贴 API Key ... 'Authorization': `Bearer ${provider.apiKey}`Recommendation
Use limited-scope keys, avoid pasting credentials unless needed, inspect where configuration is written, and rotate keys if testing untrusted code.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
It is harder to verify what code will run or where it came from.
Why it was flagged
This is a large code-bearing package with limited registry provenance and no install spec. That is not malicious by itself, but users have less assurance about origin and runtime behavior.
Skill content
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Code file presence: 137 code file(s)
Recommendation
Inspect the published repository/commit, pin the version, and review scripts before running setup, upgrade, benchmark, or monitor helpers.
NoteMedium Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Running helper scripts executes local code from the package.
Why it was flagged
The package contains local child-process execution for a benchmark/verification script. This appears purpose-aligned for testing, but command execution should not happen automatically or on untrusted inputs.
Skill content
const result = spawnSync('node', ['scripts/capability-standardizer.js'], {Recommendation
Run scripts only after review, from a sandboxed working directory, and avoid granting elevated privileges.
Findings (2)
warn
suspicious.insecure_tls_verification
- Location
- scripts/comfyui-monitor.js:8
- Finding
- HTTPS certificate verification is disabled.