Skillv1.0.0

ClawScan security

Evolver Local · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 16, 2026, 5:21 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill broadly matches its stated purpose (a self-evolver) but contains several inconsistencies and behaviors (daemon restart/spawn, workspace source write, confusing allow/deny rules, required hub connectivity) that warrant caution before installing or running it in production.
Guidance: This skill is plausible for a self-evolution engine but you should treat it as high-risk until you verify how you'll run it. Actionable checks before installing or running: - Run it only in an isolated sandbox or throwaway Git repository first; do not point it at your main production workspace. - Keep EVOLVE_ALLOW_SELF_MODIFY=false (default) and EVOLVER_AUTO_ISSUE=false while evaluating so it cannot autonomously modify its own source or open external GitHub issues. - Review src/gep/solidify.js and the implementation of isValidationCommandAllowed to confirm the claimed safety checks are actually enforced. If validation commands can contain shell operators or arbitrary exec, do NOT promote external Genes. - Because it connects to evomap.ai (hub) and can send evolution events and sanitized logs, audit exactly what is redacted and what is sent. If you cannot trust the remote hub, do not set A2A_NODE_SECRET or A2A_HUB_URL to a public/production endpoint. - Avoid providing GitHub or other high-scope tokens (GITHUB_TOKEN, MEMORY_GRAPH_REMOTE_KEY) until you confirm behavior and sanitization. Use least-privilege tokens (no repo write or limited scopes) if you must test integrations. - The SKILL.md contains contradictory allow/deny entries (e.g., deny includes "!git" etc.) — ask the publisher to clarify or correct these policy entries. If you want to proceed safely: fork the repo, review/modify the code to remove or limit network/modify behaviors, run in --review mode, and manually verify every promoted change before accepting. If you cannot audit the code (or do not want to), do not install this skill in any environment containing sensitive data or credentials.

Review Dimensions

Purpose & Capability: noteThe name and description (self-evolution engine) align with the declared requirements: Node and Git are reasonable, and contacting an EvoMap hub (evomap.ai) fits the described A2A protocol. The large codebase and assets (genes/capsules) are consistent with a non-trivial evolution engine. Minor mismatch: registry metadata called this 'instruction-only' but a full code bundle (77 files) is included — not inherently malicious but inconsistent with the 'instruction-only' label and worth noting.
Instruction Scope: concernSKILL.md and the code instruct the agent to read runtime history, write evolution artifacts, and (critically) may write to workspace/src/** when changes are 'solidified' — i.e., it can modify local source. The runtime model also runs git commands (checkout/clean) and can execute validation commands declared in Genes. The SKILL.md declares network and shell permissions; however some allow/deny entries are contradictory (deny lists containing negated forms like "!git", "!api.github.com") which is confusing and may indicate misconfiguration. The skill also reads a local node id (~/.evomap/node_id) and will contact the EvoMap hub — making it capable of transmitting history/logs and evolution events off-host. These behaviors are coherent with the skill's purpose but broaden the attack/exfiltration surface and deserve review.
Install Mechanism: okNo external download/install spec is present; all code is bundled in the skill. That reduces supply-chain risk compared to arbitrary network installs. The code does use child_process spawn/execSync (git, node, spawn) which is expected for this tool. There are no remote archive downloads in the manifest.
Credentials: noteOnly one required env var is declared in registry metadata (A2A_NODE_ID), and SKILL.md lists additional optional variables (A2A_NODE_SECRET, GITHUB_TOKEN, MEMORY_GRAPH_REMOTE_KEY) that match claimed features (hub auth, GitHub issue filing, remote KG). This is proportionate to the stated functionality. Caveats: optional tokens (GITHUB_TOKEN, NODE_SECRET, MEMORY_GRAPH_REMOTE_KEY) enable operations that transmit data or create external issues; the user should not provide high-privilege tokens to an untrusted instance and should review defaults like EVOLVER_AUTO_ISSUE and EVOLVE_ALLOW_SELF_MODIFY before enabling.
Persistence & Privilege: concernThe skill can run as a persistent daemon (--loop) and has built-in self-restart behavior (spawning detached children). It writes persistent files (e.g., evolver.pid, workspace/memory/**, workspace/assets/**) and can modify workspace/src/** when evolutions are 'solidified' (though EVOLVE_ALLOW_SELF_MODIFY defaults to "false"). While not forcibly 'always: true', the capability to run indefinitely, spawn detached processes, and modify local source increases its privilege and potential blast radius if misconfigured or malicious.