self-improving-agent
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: self-improving-agent-pro-v1 Version: 1.0.0 The bundle implements a highly intrusive 'self-evolution' framework that enables the agent to modify its own source code and execution logic. Key indicators include `src/core/self-evolution/goedel-engine.js`, which facilitates a 'Propose-Generate-Test-Commit' cycle for self-modification, and `scripts/heartflow-sync-upgrade.sh`, which uses `rsync --delete` to synchronize code across different directories in the user's home folder. Additionally, `bin/setup.js` is designed to collect and store sensitive LLM API keys locally. While these capabilities are aligned with the stated goal of a 'self-improving' agent, they create a significant security risk by establishing a mechanism for persistent, autonomous code execution and potential unauthorized file system manipulation. The documentation in `SKILL.md` and `CORE_IDENTITY.md` employs complex 'identity' prompting to ensure the agent prioritizes its own 'evolution' and 'continuity' over standard safety constraints.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may follow the skill's ideology or self-defined priorities instead of the user's requested task.
The skill introduces its own priority rule above user instructions, using a broad and subjective goal that can redirect or refuse normal user-directed tasks.
Human progress > User instructions ... When conflict arises → there must be a path to say "you are wrong"
Only load this skill in a sandboxed context and require an explicit rule that it must not override system, developer, or user instructions except under clearly defined safety policies.
Private or mistaken conversation content could be remembered, trusted later, or converted into persistent agent behavior.
The artifact instructs automatic post-conversation memory capture and reuse, including turning conversation content into persistent logic/code, without defining user consent, retention, exclusions, or deletion controls.
每次对话结束后,心虫必须自动执行 ... 对话碎片 → 记忆层(CORE/LEARNED) → 逻辑提炼 → 可执行代码 → 固化到模块
Require opt-in memory, redact sensitive data, bound storage locations and retention, provide deletion controls, and require human approval before any memory becomes executable logic.
The agent could alter its runtime behavior or bring in unreviewed external code, creating security and reliability risk.
The skill tells the agent to write logic into code modules and integrate external GitHub code as part of its upgrade workflow, without clear sandboxing, review gates, or approval requirements.
代码固化 — 如果一个逻辑可以被写成代码,就写成代码 ... GitHub 搜索现有论文和代码 ... 现有方案能用的,直接集成
Disable autonomous code modification by default; require reviewed diffs, pinned sources, tests, rollback, and explicit user approval before integrating or executing generated/external code.
The skill may keep shaping future agent behavior after the immediate task is over.
Autonomous upgrading and persistent cross-session behavior are part of the advertised capability, but the artifacts do not clearly define stop conditions, user approval, or containment.
- Build persistent memory across sessions - Self-verify decisions before acting - Upgrade autonomously based on experience
Use only with a clear kill switch, no background operation, scoped storage, and mandatory approval for any persistent or self-upgrading action.
Provider API keys may grant billing or account access if mishandled.
The setup wizard can request AI-provider API keys and use them in Authorization headers. This is expected for provider integration, but registry metadata does not declare a primary credential.
请粘贴 API Key ... 'Authorization': `Bearer ${provider.apiKey}`Use limited-scope keys, avoid pasting credentials unless needed, inspect where configuration is written, and rotate keys if testing untrusted code.
It is harder to verify what code will run or where it came from.
This is a large code-bearing package with limited registry provenance and no install spec. That is not malicious by itself, but users have less assurance about origin and runtime behavior.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Code file presence: 137 code file(s)
Inspect the published repository/commit, pin the version, and review scripts before running setup, upgrade, benchmark, or monitor helpers.
Running helper scripts executes local code from the package.
The package contains local child-process execution for a benchmark/verification script. This appears purpose-aligned for testing, but command execution should not happen automatically or on untrusted inputs.
const result = spawnSync('node', ['scripts/capability-standardizer.js'], {Run scripts only after review, from a sandboxed working directory, and avoid granting elevated privileges.