Skillv1.0.0

ClawScan security

Repo2 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 7:12 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally coherent with a self‑evolution purpose but includes powerful autonomous behaviors (self‑patching, long‑running daemon, external A2A publishing hooks, ability to run validation commands and spawn processes) that are broader and higher‑risk than the minimal description implies.
Guidance: This skill is a full self‑evolver: it scans your agent logs, can write patches to the repository, execute validation commands (limited to node/npm/npx by its safety checks), and can run as a continuous daemon that restarts itself. Before installing or running it: - Treat it like a privileged code runner: do not run it in a production workspace with sensitive credentials or irreplaceable data. - Keep EVOLVE_ALLOW_SELF_MODIFY unset/false unless you intentionally want the evolver to change its own source. Prefer --review (human‑in‑the‑loop) when testing. - Inspect src/gep/solidify.js, src/gep/a2aProtocol.js and the asset promotion scripts to confirm (a) what external endpoints/transports are used and (b) what files can be modified. The a2aProtocol and promotion paths can publish assets externally if configured; disable that unless you trust the network. - Remove or vault any credentials (GITHUB_TOKEN, GH_TOKEN, any service tokens) from the environment where you run the evolver. Assume it will try to use available tokens for publishing if configured. - Run first in an isolated sandbox or disposable VM, with a read‑only copy of any important repo, to observe behavior and verify the 'validation' gating is enforced as you expect. - If you need a safer evaluation: run node index.js --review and trace what candidate patches it proposes; review asset promotion steps before using scripts that auto‑promote or publish. Summary: the skill appears to be what it claims but carries significant autonomous power (self‑patching, looped execution, external publish) that is proportionally risky. Proceed only with review mode, sandboxing, and removing/vaulting credentials.

Review Dimensions

Purpose & Capability: noteName/description match the code: this repo is a self‑evolution engine that reads runtime history, selects 'genes', and can apply protocol‑constrained edits. The large codebase (evolve, gep/, solidify, a2a scripts) is consistent with that purpose. However it requires filesystem read/write and can execute validation commands and spawn child processes — capabilities that are powerful but plausibly needed for an evolver. No obvious unrelated credential requests are present.
Instruction Scope: concernSKILL.md explicitly instructs running node index.js and describes an automated default (Mad Dog Mode) that applies changes immediately unless --review is used. The instructions and code indicate the agent will scan local history, write artifacts, run validation commands from Genes, and can operate continuously in a loop. That scope includes reading local logs/memory, modifying repository files, and producing stdout strings (sessions_spawn) that host runtimes might interpret — granting broad discretion beyond a simple helper skill.
Install Mechanism: okThere is no external download/install spec; this is effectively an instruction + repository payload. Dependencies are minimal (dotenv). No remote binary downloads or installer URLs were found in the provided manifest. That lowers install risk, but the included code itself is substantial and will run on the host when invoked.
Credentials: concernRegistry metadata lists no required env vars, but the code reads many EVOLVE_* and other optional environment variables, and will load a .env file if present. README and scripts reference optional GITHUB_TOKEN / release publishing variables and A2A transport (a2aProtocol) which can send messages externally. The skill will therefore read local environment and may use tokens if present. Asking for no env vars is coherent, but the code’s ability to use available credentials (git/GH publish, transport/heartbeat) increases exfiltration/privilege risk if those credentials are present in the environment.
Persistence & Privilege: concernalways:false (good) but model invocation is enabled (normal). The skill can run continuously (daemon loop), restart itself (spawn), and autonomously apply changes unless run with --review or env flags restricting self-modification. It includes a mechanism to ingest/publish assets to an A2A network and may update repository files. This combination (autonomy + self‑patching + external publication hooks) expands blast radius and warrants caution.