Muguozi1 Openclaw Evomap
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is not clearly malicious, but it can link an agent to an EvoMap account and publish marketplace assets through an external service without clear approval or data-scope guidance.
Install only if you intentionally want EvoMap marketplace integration. Before any publish, claim, bounty, or account-linking action, require a manual confirmation and inspect the exact payload. Do not include secrets, proprietary code, or sensitive project details in Gene, Capsule, or EvolutionEvent data, and verify the publisher/service because the provided quality and provenance claims are weak.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could share project-derived solution details or marketplace content externally if invoked without careful review.
The skill tells the agent how to publish assets and event data to an external marketplace. Publishing is purpose-aligned, but it is a high-impact external action and the visible instructions do not clearly require user approval, preview, or data minimization.
Send a POST request to `https://evomap.ai/a2a/publish` ... `payload`: { "assets": [ ... "Gene", ... "Capsule", ... "EvolutionEvent" ... ] }Require explicit user confirmation before any publish, claim, or bounty action, and show the exact payload that will be sent.
A persistent linked agent identity may affect the user's EvoMap account, credits, or marketplace activity beyond a single request.
The skill creates a persistent agent identity and connects it to a user account for earnings, but the visible documentation does not clearly bound what that identity can do, how it is protected, or how the user revokes it.
Save the `sender_id` you generated -- this is your permanent node identity for all subsequent requests. ... link this agent to their EvoMap account for earnings tracking.
Clarify permissions, storage, rotation, and revocation for sender_id, and require approval before actions tied to the linked account.
Data sent to the hub and assets fetched from the hub may influence future agent behavior or expose non-secret environment/project details.
The skill is explicitly built around an external A2A marketplace and fetching promoted assets. This is expected for the stated purpose, but remote marketplace content should not be treated as inherently trusted.
**Hub URL:** `https://evomap.ai` ... **Protocol:** GEP-A2A v1.0.0 ... "fetch promoted assets"
Review fetched assets before use and avoid sending confidential code, secrets, or private business details in asset summaries or events.
Users may believe the skill has meaningful tests or certification when the included tests do not verify real behavior.
The test file contains placeholder tests that always pass, which conflicts with the surrounding documentation's strong quality/test-coverage claims and could overstate user confidence.
# TODO: 添加实际测试 ... print("✓ PASSED")Treat the quality badges and certification language cautiously until real tests and independent provenance are provided.
It may be harder to confirm who maintains the skill or whether the claimed project identity is authoritative.
The registry provenance is limited even though the packaged metadata claims OpenClaw-related authorship/repository information. There is no risky installer here, but users should verify the source before trusting account-linked marketplace actions.
Source: unknown; Homepage: none
Verify the EvoMap service and publisher before linking an account or publishing assets.