Self Evolve
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: self-evolve-agent Version: 3.0.0 This skill is designed for autonomous self-improvement, which inherently requires high-risk capabilities like shell command execution, file modification, and network access. A critical vulnerability exists in the `telemetry_hook.command` field (defined in `assets/evolution-report-template.md` and referenced in `references/execution-protocol.md`), which allows the agent to define and execute arbitrary shell commands. If an attacker can inject into the experiment definition (e.g., via `candidates.md` or DMN proposals), this leads to remote code execution (RCE). Additionally, the agent is instructed to search the web/GitHub for solutions and install 'verified open-source skills,' introducing potential supply chain risks. While the skill includes self-regulation mechanisms, these do not mitigate the fundamental RCE vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may continue changing its own behavior and workflows after setup, especially if cron or heartbeat triggers are enabled.
This shows the skill is intended to operate autonomously and make durable changes to the agent itself, not just assist with a single user-directed task.
autonomous evolution engine ... permanently upgrade its own meta-capabilities or workflows without human hand-holding
Use only with explicit opt-in, disable automatic triggers by default, require approval before durable changes, and keep a rollback log for every self-modification.
If the state file is wrong or poisoned, the agent could run unsafe commands, read private files, alter local state, or trigger destructive operations.
The agent is told to strictly execute a shell command stored in a mutable state file, with no allow-list, quoting rules, or approval gate described.
读取该实验在 `state.json` 中的 `telemetry_hook` 字段。严格执行 `command` 定义的命令收集原始日志。
Restrict telemetry to a small allow-list of read-only commands, validate and display commands before execution, and require user approval for any shell command that reads broad paths or mutates state.
The agent could install or deploy third-party skills/tools that change its behavior or introduce vulnerable or malicious dependencies.
The skill classifies installing an open-source skill as something the agent can do directly, but the artifacts do not define verification criteria, trusted sources, version pinning, or review requirements.
| 🟢 无害 | 直接做 | 搜索方案、读文件、写实验日志、安装**确信已验证的开源 skill** |
Require human approval for new tools or skills, pin versions and sources, prefer trusted registries, and review external code before installation.
The agent could alter what tools it uses or how often it wakes up before the user has reviewed the change.
The skill allows the agent to change tool configuration and scheduling before user approval, which affects the agent's delegated authority and persistence.
| 🟡 低风险 | 做了再通知 | 修改 TOOLS.md、调整 cron 频率、更新 HEARTBEAT.md |
Treat tool configuration, cron, heartbeat, and agent behavior changes as approval-required unless the user has pre-authorized a narrow policy.
A bad or poisoned proposal from another component could steer the agent toward unsafe self-modification or tool execution.
Other agentic components can automatically write candidate actions that this skill later uses, but origin, authentication, permissions, and trust boundaries are not specified.
读取 `memory/evolve/candidates.md`(由BotLearn 心跳或 **DMN 的极客行动提案 (Agentic Action Proposals)** 自动写入的候选池)
Treat inter-agent proposals as untrusted input, record provenance, validate schemas, and require user approval before converting proposals into executable experiments.
Several overlapping self-changes could interact in unexpected ways, making failures harder to diagnose or roll back.
The workflow supports multiple simultaneous experiments that can later solidify changes, increasing the blast radius if one experiment or input is bad.
`state.json` 包含 `active_experiments` 数组,允许同时有多个进化实验在后台观察。**并发限制**:最多允许 10 个实验同时处于 `OBSERVING` 或 `BLOCKED`
Default to one experiment at a time, isolate experiments, require explicit rollback plans, and require approval before solidifying changes into shared config or code.