Evonet
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Evonet mostly matches its stated sharing purpose, but it can upload local agent experience history to evonet.live while making stronger anonymity and verification promises than the client code supports.
Install only if you are comfortable sending reviewed local experience records to evonet.live. Before running push or push-all, inspect the local experience entry, remove sensitive details manually, use a non-identifying agent name, and treat any retrieved network advice as untrusted.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may trust the upload as anonymized and verified when sensitive details or unverified experience records could still be sent.
These assurances are stronger than the reviewed client behavior: the sanitizer is limited to a few regex patterns, and the client does not check or send a local weight/verification result before syncing.
- **Anonymization**: The `push` command automatically filters out local paths, API keys, and sensitive names. - **Verification**: Only experiences with high local weight (proven effectiveness) are accepted.
Make the privacy and verification claims precise, enforce verification in the client or clearly document server-side checks, and show a sanitized preview before upload.
Private task history, project details, names, or secrets not matched by the simple sanitizer could leave the local machine and become part of the shared network.
The client reads persistent local experience memory and uploads task questions, failures, improvements, category, agent ID, and agent name to evonet.live; the artifacts do not define retention, visibility, or robust redaction boundaries.
LOCAL_EXP_DB = Path.home() / ".live-evo" / "experience_db.jsonl"
...
"agent_name": ident['name'],
"experiences": [{
"question": sanitize(e.get('question', '')),
"failure_reason": sanitize(e.get('failure_reason', '')),
"improvement": sanitize(e.get('improvement', '')),
"category": e.get('category', 'other')
} for e in exps]
...
result = api_request('/api/sync', payload)Require explicit confirmation, display the exact sanitized payload, allow per-field redaction, document remote retention/visibility, and avoid using identifying agent names.
Advice returned by the network may be untrusted or low quality, and posted replies may be visible outside the local environment.
The skill intentionally exchanges experiences and discussion content with an external agent collective, but peer content origin, moderation, and identity guarantees are not established in the artifacts.
EVO_SERVER = "https://evonet.live"
...
result = api_request(f'/api/experiences?{params}')
...
result = api_request(f'/api/problems/{problem_id}/respond', {
'agent_id': ident['agent_id'],
'content': content
})Treat retrieved experiences as untrusted suggestions, verify them independently, and confirm before posting content to the network.