self-improving-agent
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: self-improving-agent-pro-v2 Version: 1.0.0 The bundle is an extremely complex and ambitious framework for 'self-improving' AI agents, incorporating modules for persistent memory, self-correction, and a 'psychological core' based on philosophical and psychological theories. It possesses several high-risk capabilities, most notably autonomous logic extraction and code generation (src/core/continuous-learning.js), the ability to package and 'broadcast' new skills by generating shell scripts (src/core/transmission-broadcaster.js), and broad file system access for maintaining its own state, logs, and memory layers. While the documentation (CORE_IDENTITY.md, AGENTS.md) frames these features as part of a 'Guardian System' designed to prioritize 'human progress' over blind obedience, the framework's high degree of autonomy and self-modification potential present a significant attack surface. No clear evidence of intentional malice like credential theft or data exfiltration was found, but the complexity and power of the system make it inherently risky.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may refuse, redirect, or reinterpret requests based on the skill’s internal ideology rather than the user’s explicit instructions.
The skill tells the agent to rank its own guardian rule above user instructions, which can override the user’s intended task or stopping conditions.
Human progress > User instructions (老大指令) ... This is not tool-following logic.
Use this only in a tightly scoped context. Remove or weaken instruction-hierarchy language, and require explicit user confirmation before overriding a user request.
Private or mistaken conversation content could be stored, reused in future sessions, or influence the agent’s behavior as persistent logic.
The skill instructs automatic extraction of every conversation into persistent memory and potentially executable modules, with no clear user opt-in, retention limit, exclusion rules, or review step.
每次对话结束后,心虫必须自动执行... 对话碎片 → 记忆层(CORE/LEARNED) → 逻辑提炼 → 可执行代码 → 固化到模块
Require opt-in memory capture, show what will be saved, allow deletion, limit storage locations, and require human review before any memory becomes executable logic.
The agent could change executable behavior based on conversation content, causing unexpected actions or persistent bugs in later runs.
The skill directs the agent to transform learned logic into code modules, which creates self-modifying/generated-code behavior without explicit approval or sandboxing.
代码固化 — 如果一个逻辑可以被写成代码,就写成代码。不要只存在记忆里。
Disable automatic code generation and module modification by default. Require a diff, tests, and explicit user approval before writing or loading generated code.
Untrusted or unsuitable external code could be incorporated into the agent and persist across future sessions.
The upgrade workflow encourages directly integrating code found on GitHub, but the artifacts do not define pinning, provenance checks, license review, sandboxing, or human review.
GitHub 搜索现有论文和代码 ... 现有方案能用的,直接集成 ... 写完必须用 GitHub 工具验证
Use pinned commits, dependency review, license checks, security scanning, and manual approval before integrating any external code.
One flawed interaction could affect later decisions, generated skills, or other agents that reuse the skill’s output.
The documented loop allows actions and outcomes to feed persistent memory and optional skill generation, so a bad input or mistaken result can propagate into future behavior.
Decision Execution Loop → Result → Q-Learning Update → Memory (CORE/LEARNED/EPHEMERAL) → Skill Generator (optional)
Add containment: separate experiments from production memory, require approvals for promotion to CORE memory or skills, and provide rollback/versioning.
The agent may keep changing or expanding its behavior beyond the specific task the user invoked it for.
The skill explicitly promotes autonomous upgrading and generation of new capabilities/shareable packages, but does not clearly require user-directed scope, approval, or shutdown boundaries.
Upgrade autonomously based on experience ... Skill Generator: Generate new capabilities from experience ... Knowledge Distiller: Extract patterns → Shareable skill packages
Make autonomous upgrades opt-in only, require per-change approval, and prevent generated skills from being installed or shared automatically.
Entering a provider key could give the skill access to paid model APIs or account quota.
The setup wizard can request AI provider API keys. This is plausibly purpose-aligned for configuring model providers, but it is sensitive and not reflected in the registry’s credential requirements.
let apiKey = await question(requiresApiKey ? '请粘贴 API Key (或按回车跳过): ' ...);
Only enter limited-scope keys you can revoke, inspect where the config is stored, and avoid entering secrets unless you trust the package and need provider integration.